How Technology Caught the Austin Serial Bomber (foxnews.com) 93

Wednesday police in Austin, Texas finally located the "serial bomber" believed to be responsible for six package bombs which killed two people over the last three weeks. "The operation was aided by different uses of technology, including surveillance cameras and cell phone triangulation." An anonymous reader shares this article: The suspect, who has been identified as 24-year-old Mark Anthony Conditt, was killed near the motel he was traced to thanks to surveillance footage from a Federal Express drop-off store, The Austin American-Stateman reported. The authorities were able to gather information after police noticed the subject shipped an explosive device from a Sunset Valley FedEx store, a suburb approximately 25 minutes away from Austin. The evidence included the security footage from the store, as well as store receipts obtained showing suspicious transactions. The authorities were also able to look at the individual's Google search history, the Statesman noted, which gave them further insight into his dealings...

The authorities were also able to use cell phone triangulation technology, which provides a cell phone's location data via information collected from nearby cell towers... The phone's GPS capabilities can track the phone within 5 to 10 feet and can also provide "historical" or "prospective" location information. It can also "ping" the phone, forcing it to reveal its exact location... As cell phone companies store this type of data, law enforcement authorities must request it via the appropriate court processes.

"Authorities in Austin were able to use this technology to trace the suspect to a hotel in Williamson County."

School Pays To Get an Algorithm To Scan Students' Social Media For Threats and Suicide Risks Posts (wbur.org) 79

When someone visits the buildings of Shawsheen Valley Technical High School in Billerica, as they walk through the secure foyer, they have to get their driver's license or another state-issued ID scanned. But the secure foyer does kind of a high-level national background check, too, explains Superintendent Tim Broadrick. From a report: The "LobbyGuard" scanner is the size of a computer tablet. It scans a driver's license, takes a picture of the school visitor and if all is OK with the person's background check, almost instantly clears the person to enter the school. An employee behind a window then pushes a button and unlocks the door to the school hallway. Amid nationwide concern about school shootings, there's talk at Shawsheen Tech of covering the wall of glass in the lobby with a special film to make it harder for a bullet to pierce. There's also a police officer -- known as a school resource officer -- stationed at the school. He has an office in the lobby. And the school has adopted another security measure to try to protect students from attacks -- one you can't see. It's a computer program designed to detect threats against the school in social media posts. And it runs 24/7.

"It's receiving and filtering and then gives us alerts when certain kinds of public communication are detected," Broadrick explains. Shawsheen Tech buys the social media scanning service from a Vermont-based company called Social Sentinel. It's one of many technology firms doing some form of social media scanning or monitoring. Social Sentinel claims it's the only one with expertise in protecting schools. Shawsheen Tech has about 1,300 students. It pays Social Sentinel approximately $10,000 per year, according to Broadrick.


Firefox In 2018: We'll Tackle Bad Ads, Breach Alerts, Autoplay Video, Says Mozilla (zdnet.com) 81

An anonymous reader quotes a report from ZDNet: Firefox maker Mozilla has outlined its 2018 roadmap to make the web less intrusive and safer for users. First up, Mozilla says it will proceed and implement last year's experiment with a breach alerts service, which will warn users when their credentials have been leaked or stolen in a data breach. Mozilla aims to roll out the service around October. Breach Alerts is based on security consultant Troy Hunt's data breach site Have I Been Pwned. Firefox will also implement a similar block on autoplay video to the one Chrome 66 will introduce next month, and that Safari already has. However, Dotzler says Firefox's implementation will "provide users with a way to block video auto-play that doesn't break websites". This feature is set to arrive in Firefox 62, which is scheduled for release in May.

After Firefox 62 the browser will gain an optional Chrome-like ad filter and several privacy-enhancing features similar to those that Apple's WebKit developers have been working on for Safari's Intelligent Tracking Prevention. By the third quarter of 2018, Firefox should also be blocking ad-retargeting through cross-domain tracking. It's also going to move all key privacy controls into a single location in the browser, and offer more "fine-grained" tracking protection. Dotzler says Mozilla is in the "early stages" of determining what types of ads Firefox should block by default. Also on the roadmap is a feature that arrived in Firefox 59, released earlier this month. A new Global Permissions feature will help users avoid having to deny every site that requests permission for location, camera, microphone and notifications. Beyond security and privacy, Mozilla plans to build on speed-focused Quantum improvements that came in Firefox 57 with smoother page rendering.


FCC Chief Cites Concerns on Spy Threats From Chinese Telecoms Firms (reuters.com) 42

Federal Communications Commission Chairman Ajit Pai, in a letter sent to lawmakers earlier this week (but released just now), said he shares the concerns of U.S. lawmakers about espionage threats from Chinese smartphone maker Huawei and plans to take "proactive steps" to ensure the integrity of the U.S. communications supply chain. From a report: Pai said he shares concerns over the "security threat that Huawei and other Chinese technology companies pose to our communications networks." Pai said he intends to take action in the "near future," but offered no specifics. Pai's letter follows the introduction of legislation by Republican Senators Tom Cotton and Marco Rubio in February that would block the U.S. government from buying or leasing telecoms equipment from Huawei, the world's third largest smartphone maker, or Chinese telecommunications equipment maker ZTE Corp, citing concerns the companies would use their access to spy on U.S. officials.
Social Networks

My Cow Game Extracted Your Facebook Data (theatlantic.com) 53

Ian Bogost, writing for The Atlantic: Already in 2010, it felt like a malicious attention market where people treated friends as latent resources to be optimized. Compulsion rather than choice devoured people's time. Apps like FarmVille sold relief for the artificial inconveniences they themselves had imposed. In response, I made a satirical social game called Cow Clicker. Players clicked a cute cow, which mooed and scored a "click." Six hours later, they could do so again. They could also invite friends' cows to their pasture, buy virtual cows with real money, compete for status, click to send a real cow to the developing world from Oxfam, outsource clicks to their toddlers with a mobile app, and much more. It became strangely popular, until eventually, I shut the whole thing down in a bovine rapture -- the "cowpocalypse." It's kind of a complicated story.

But one worth revisiting today, in the context of the scandal over Facebook's sanctioning of user-data exfiltration via its application platform. It's not just that abusing the Facebook platform for deliberately nefarious ends was easy to do (it was). But worse, in those days, it was hard to avoid extracting private data, for years even, without even trying. I did it with a silly cow game. Cow Clicker is not an impressive work of software. After all, it was a game whose sole activity was clicking on cows. I wrote the principal code in three days, much of it hunched on a friend's couch in Greenpoint, Brooklyn. I had no idea anyone would play it, although over 180,000 people did, eventually. And yet, if you played Cow Clicker, even just once, I got enough of your personal data that, for years, I could have assembled a reasonably sophisticated profile of your interests and behavior. I might still be able to; all the data is still there, stored on my private server, where Cow Clicker is still running, allowing players to keep clicking where a cow once stood, before my caprice raptured them into the digital void.


US Charges Iranians For Global Cyber Attacks on Behalf of Tehran (reuters.com) 35

The United States on Friday charged nine Iranians and an Iranian company with attempting to hack into hundreds of U.S. and international universities, dozens of companies and parts of the U.S. government on behalf of the Tehran government. From a report: The cyber attack pilfered more than 31 terabytes of academic data and intellectual property from 144 U.S. universities and 176 universities in 21 foreign countries, the U.S. Department of Justice said in a statement. The U.S. Treasury Department said on its website that it was placing sanctions on those accused and the Mabna Institute, a company described by U.S. prosecutors as designed to help Iranian research organizations steal information.

More Evidence Ties Alleged DNC Hacker Guccifer 2.0 To Russian Intelligence (techcrunch.com) 197

An anonymous reader shares a report: It may be a while since you've heard the handle "Guccifer 2.0," the hacker who took responsibility for the infamous DNC hack of 2016. Reports from the intelligence community at the time, as well as common sense, pegged Guccifer 2.0 not as the Romanian activist he claimed to be, but a Russian operative. Evidence has been scarce, but one slip-up may have given the game away. An anonymous source close to the U.S. government investigation of the hacker told the Daily Beast that on one single occasion, Guccifer 2.0 failed to log into the usual VPN that disguised their traffic. As a result, they left one honest IP trace at an unnamed social media site.

That IP address, "identified Guccifer 2.0 as a particular GRU officer working out of the agency's headquarters on Grizodubovoy Street in Moscow," the Daily Beast reported. (The GRU is one of the Russia's security and intelligence organs.) Previous work by security researchers had suggested this, but it's the first I've heard of evidence this direct. Assuming it's genuine, it's a sobering reminder of how fragile anonymity is on the internet -- one click and the whole thing comes crashing down.


New R2D2 Technique Protects Files Against Wiper Malware, Secure Delete Apps (bleepingcomputer.com) 47

An anonymous reader writes: Purdue University scientists have developed a data protection technique called Reactive Redundancy for Data Destruction (R2D2) that can safeguard data sitting inside a virtual machine from modern data-wiping malware and even some secure file deletion methods. The technique was developed to protect enterprise systems, which are often running inside VMs.

Researchers say the new technique was successful in preventing wiper malware such as Shamoon (v1 and v2), StoneDrill, and Destover from deleting data during their experiments, but it was able to prevent data deletion attempted with legitimate "secure delete" applications. When such operations are detected, R2D2 runs each one through a series of policies that evaluate the operation for known destructive patterns. If the scan triggers a warning, the VM creates a temporary checkpoint that a human operator can use as a system restore point.


Atlanta City Government Systems Down Due To Ransomware Attack (arstechnica.com) 64

An anonymous reader quotes a report from Ars Technica: The city of Atlanta government has apparently become the victim of a ransomware attack. The city's official Twitter account announced that the city government "is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information." According to a report from Atlanta NBC affiliate WXIA, a city employee sent the station a screen shot of a ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees received emails from the city's information technology department instructing them to unplug their computers if they noticed anything suspicious. An internal email shared with WXIA said that the internal systems affected include the city's payroll application. "At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue," a city spokesperson told Ars. "We are confident that our team of technology professionals will be able to restore applications soon." The city's primary website remains online, and the city government will continue to post updates there, the spokesperson added.

Mark Zuckerberg Apologizes For the Cambridge Analytica Scandal, Says He Isn't Opposed To Regulation (theverge.com) 179

An anonymous reader quotes a report from The Verge: Mark Zuckerberg apologized on Wednesday evening for his company's handling of the Cambridge Analytica privacy scandal. "This was a major breach of trust and I'm really sorry this happened," he said in an interview on CNN. "Our responsibility now is to make sure this doesn't happen again." Zuckerberg's comments reflected the first time he apologized following an uproar over how Facebook allowed third-party developers to access user data. Earlier in the day, Zuckerberg wrote a Facebook post in which he said the company had made mistakes in its handling of the Cambridge Analytica data revelations. The company laid out a multipart plan designed to reduce the amount of data shared by users with outside developers, and said it would audit some developers who had access to large troves of data before earlier restrictions were implemented in 2014. Zuckerberg also told CNN that he is not totally opposed to regulation. "I'm not sure we shouldn't be regulated," he said. "There are things like ad transparency regulation that I would love to see."

Other highlights of Zuckerberg's interviews:
-He told multiple outlets that he would be willing to testify before Congress.
-He said the company would notify everyone whose data was improperly used.
-He told the New York Times that Facebook would double its security force this year, adding: "We'll have more than 20,000 people working on security and community operations by the end of the year, I think we have about 15,000 now."
-He told the Times that Facebook would investigate "thousands" of apps to determine whether they had abused their access to user data.

Regarding moderation, Zuckerberg told Recode: "[The] thing is like, 'Where's the line on hate speech?' I mean, who chose me to be the person that did that?" Zuckerberg said. "I guess I have to, because of where we are now, but I'd rather not."
United States

US Spending Bill Contains CLOUD Act, a Win For Tech and Law Enforcement (axios.com) 116

The 2,232 page spending bill released Wednesday by House and Senate leaders includes the Clarifying Lawful Overseas Use of Data [CLOUD] Act, which provides a legal framework for law enforcement to request data from overseas servers. The CLOUD Act currently sits high atop the wish list of tech firms, law enforcement and even foreign nations. Axios reports: The Supreme Court is currently mulling a case determining whether the Department of Justice had the right to force Microsoft to produce client emails stored on a server in Ireland without permission from Ireland's government. Microsoft fears the DOJ will force it to violate the laws of Ireland. The DOJ hopes to avoid the often years long process of abiding by treaties dealing with evidence. But both have publicly urged lawmakers to render the pending decision moot by passing the CLOUD act, a way to streamline the treaty process for requesting digital data.

The CLOUD Act provides a framework for reciprocal treaties for nations to request data from computers located within each other's borders. It also provides a mechanism for a Microsoft to take a law enforcement demand to court if it would force them to violate another country's rules. But when neither apply, law enforcement will be able to demand files in accordance with U.S. law.


Best Buy Stops Selling Huawei Smartphones (cnet.com) 86

Best Buy, the nation's largest electronics big box retailer, has ceased ordering new smartphones from Huawei and will stop selling its products over the next few weeks. Best Buy didn't provide any details as to why it has severed ties with Huawei, but it may have to do with security concerns involving the Chinese government. CNET reports: The move is a critical blow to Huawei, which is the world's third-largest smartphone vendor behind Apple and Samsung but has struggled to establish any presence in the U.S. Best Buy was one of Huawei's biggest retail partners, and one of the rare places where you could physically see its phones. Huawei phones aren't sold by any U.S. carriers, where a majority of Americans typically buy their phones. Security concerns have long dogged Huawei in the U.S. In 2012, the House Intelligence Committee released a report accusing Huawei and fellow Chinese vendor ZTE of making telecommunications equipment that posed national security threats, and banned U.S. companies from buying the gear. At the time, the committee stressed that the report didn't refer to its smartphones. But that's changed over the last several months. The directors of the FBI, CIA and NSA all expressed their concerns about the risks posed by Huawei and ZTE.

A 15-Year-Old Hacked the Secure Ledger Crypto Wallet (techcrunch.com) 66

An anonymous reader quotes a report from TechCrunch: A 15-year-old programmer named Saleem Rashid discovered a flaw in the popular Ledger hardware wallet that allowed hackers to grab secret PINs before or after the device was shipped. The holes, which Rashid described on his blog, allowed for both a "supply chain attack" -- meaning a hack that could compromise the device before it was shipped to the customer -- and another attack that could allow a hacker to steal private keys after the device was initialized. The Ledger team described the vulnerabilities dangerous but avoidable. For the "supply chain attack," they wrote: "by having physical access to the device before generation of the seed, an attacker could fool the device by injecting his seed instead of generating a new one. The most likely scenario would be a scam operation from a shady reseller." "If you bought your device from a different channel, if this is a second hand device, or if you are unsure, then you could be victim of an elaborate scam. However, as no demonstration of the attack in the real has been shown, it is very unlikely. In both cases, a successful firmware update is the proof that your device has never been compromised," wrote the team.

Further, the post-purchase hack "can be achieved only by having physical access to the device, knowing your PIN code and installing a rogue unsigned application. This rogue app could break isolation between apps and access sensitive data managed by specific apps such as GPG, U2F or Neo." Ledger CEO Eric Larcheveque claimed that there were no reports of the vulnerability effecting any active devices. "No one was compromised that we know of," he said. "We have no knowledge that any device was affected." Rashid, for his part, was disappointed with the speed Ledger responded to his claims.


Kaspersky Lab Plans Swiss Data Center To Combat Spying Allegations, Report Says (reuters.com) 47

An anonymous reader shares a report: Moscow-based Kaspersky Lab plans to open a data center in Switzerland to address Western government concerns that Russia exploits its anti-virus software to spy on customers, according to internal documents seen by Reuters. Kaspersky is setting up the center in response to actions in the United States, Britain and Lithuania last year to stop using the company's products, according to the documents, which were confirmed by a person with direct knowledge of the matter. The action is the latest effort by Kaspersky, a global leader in anti-virus software, to parry accusations by the U.S. government and others that the company spies on customers at the behest of Russian intelligence.

AMD Says Patches Coming Soon For Chip Vulnerabilities (securityweek.com) 84

wiredmikey writes: After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) says patches are coming to address several security flaws in its chips. In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.


Telegram Loses Supreme Court Appeal In Russia, Must Hand Over Encryption Keys (bloomberg.com) 216

Telegram has lost a bid before Russia's Supreme Court to block security services from getting access to users' data, giving President Vladimir Putin a victory in his effort to keep tabs on electronic communications. Bloomberg reports: Supreme Court Judge Alla Nazarova on Tuesday rejected Telegram's appeal against the Federal Security Service, the successor to the KGB spy agency which last year asked the company to share its encryption keys. Telegram declined to comply and was hit with a fine of $14,000. Communications regulator Roskomnadzor said Telegram now has 15 days to provide the encryption keys. Telegram, which is in the middle of an initial coin offering of as much as $2.55 billion, plans to appeal the ruling in a process that may last into the summer, according to the company's lawyer, Ramil Akhmetgaliev. Any decision to block the service would require a separate court ruling, the lawyer said.

Putin signed laws in 2016 on fighting terrorism, which included a requirement for messaging services to provide the authorities with means to decrypt user correspondence. Telegram challenged an auxiliary order by the Federal Security Service, claiming that the procedure doesn't involve a court order and breaches constitutional rights for privacy, according to documents. The security agency, known as the FSB, argued in court that obtaining the encryption keys doesn't violate users' privacy because the keys by themselves aren't considered information of restricted access. Collecting data on particular suspects using the encryption would still require a court order, the agency said.


Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880,000 Credit Cards (usnews.com) 29

hyperclocker shares a report from U.S. News & World Report: Orbitz says a legacy travel booking platform may have been hacked, possibly exposing the personal information of people that made certain purchases between January 1, 2016 and December 22, 2017. Orbitz said Tuesday about 880,000 payment cards were impacted. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender. The company said evidence suggests an attacker may have accessed information stored on the platform -- which was for both consumers and business partners -- between Oct. 1, 2017 and Dec. 22, 2017. "Orbitz said it worked with a forensic investigation firm, cybersecurity experts, and law enforcement once the breach was discovered in order to 'eliminate and prevent unauthorized access to the platform,'" reports The Verge. "The company also notes that its current site, Orbitz.com, wasn't affected. It is notifying customers who may have been impacted and is offering a year of free credit monitoring."

The NSA Worked To 'Track Down' Bitcoin Users, Snowden Documents Reveal (theintercept.com) 60

An anonymous reader shares a report: Classified documents provided by the whistleblower Edward Snowden show the National Security Agency worked urgently to target Bitcoin users around the world -- and wielded at least one mysterious source of information to "help track down senders and receivers of Bitcoins," according to a top-secret passage in an internal NSA report dating to March 2013. The data source appears to have leveraged NSA's ability to harvest and analyze raw, global internet traffic while also exploiting an unnamed software program that purported to offer anonymity to users, according to other documents.

Although the agency was interested in surveilling some competing cryptocurrencies, "Bitcoin is #1 priority," a March 15, 2013 internal NSA report stated. The documents indicate that "tracking down" Bitcoin users went well beyond closely examining Bitcoin's public transaction ledger, known as the Blockchain, where users are typically referred to through anonymous identifiers; the tracking may also have involved gathering intimate details of these users' computers. The NSA collected some Bitcoin users' password information, internet activity, and a type of unique device identification number known as a MAC address, a March 29, 2013 NSA memo suggested. In the same document, analysts also discussed tracking internet users' internet addresses, network ports, and timestamps to identify "BITCOIN Targets."


Facebook Security Chief Said To Leave After Clashes Over Disinformation (theverge.com) 45

Facebook's chief information security officer, Alex Stamos, will leave the company after internal disagreements over how the social network should deal with its role in spreading disinformation. The New York Times reports (Warning: source may be paywalled; alternative source): Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook, often to the consternation of other top executives, including Sheryl Sandberg, the social network's chief operating officer, according to the current and former employees, who asked not to be identified discussing internal matters. After his day-to-day responsibilities were reassigned to others in December, Mr. Stamos said he would leave the company. He was persuaded to stay through August to oversee the transition of his duties because executives thought his departure would look bad, the current and former employees said. He has been overseeing the transfer of his security team to Facebook's product and infrastructure divisions. His group, which once had 120 people, now has three, the current and former employees said. Mr. Stamos would be the first high-ranking employee to leave Facebook since controversy erupted over disinformation on its site. His departure is a sign of heightened leadership tensions at the company.

Hackers Are So Fed Up With Twitter Bots They're Hunting Them Down Themselves (theintercept.com) 45

An anonymous reader writes: Even if Twitter hasn't invested much in anti-bot software, some of its most technically proficient users have. They're writing and refining code that can use Twitter's public application programming interface, or API, as well as Google and other online interfaces, to ferret out fake accounts and bad actors. The effort, at least among the researchers I spoke with, has begun with hunting bots designed to promote pornographic material -- a type of fake account that is particularly easy to spot -- but the plan is to eventually broaden the hunt to other types of bots. The bot-hunting programming and research has been a strictly volunteer, part-time endeavor, but the efforts have collectively identified tens of thousands of fake accounts, underlining just how much low-hanging fruit remains for Twitter to prune.

Among the part-time bot-hunters is French security researcher and freelance Android developer Baptiste Robert, who in February of this year noticed that Twitter accounts with profile photos of scantily clad women were liking his tweets or following him on Twitter. Aside from the sexually suggestive images, the bots had similarities. Not only did these Twitter accounts typically include profile photos of adult actresses, but they also had similar bios, followed similar accounts, liked more tweets than they retweeted, had fewer than 1,000 followers, and directed readers to click the link in their bios.

Slashdot Top Deals