For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×
Privacy

When a Company Gets Sold, Your Data May Be Sold, Too 80 80

Posted by Soulskill
from the what's-yours-is-ours-and-what's-ours-is-somebody-else's dept.
An anonymous reader writes: A new report points out that many of the top internet sites have language in their privacy policies saying that your private data might be transferred in the event of an acquisition, bankruptcy sale, or other transaction. They effectively say, "We won't ever sell your information, unless things go bad for us." 85 of the top 100 websites in the U.S. (ranked by Alexa), had this sort of language, including Amazon, Apple, Facebook, Google, Hulu, and LinkedIn. (RadioShack did this recently.) "The potential ramifications of the fire sale provisions became clear two years ago when True.com, a dating site based in Plano, Tex., that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers' names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more. Because the site's privacy policy had promised never to sell or share members' personal details without their permission, Texas was able to intervene to stop the sale of customer data, including intimate details on about two million Texans." But with this new language, users no longer enjoy that sort of protection. Only 17 of the top 100 sites even say they will notify customers of the data transfer. Only a handful allow users to opt out.
Encryption

NIST Updates Random Number Generation Guidelines 64 64

Posted by Soulskill
from the of-barn-doors-and-horses dept.
An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as we've learned that government agencies are keeping an eye on us and a lot of our security tools aren't as foolproof as we've thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number — crucial in many types of encryption. The update (as expected) removes a recommendation for the Dual_EC_DRBG algorithm. It also adds extra options for CTR_DRBG and points out examples for implementing SP 800-90A generators. The full document (PDF) is available online.
Encryption

Cisco Security Appliances Found To Have Default SSH Keys 112 112

Posted by Soulskill
from the invitation-to-misbehave dept.
Trailrunner7 writes: Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability.

This bug is about as serious as they come for enterprises. An attacker who is able to discover the default SSH key would have virtually free reign on vulnerable boxes, which, given Cisco's market share and presence in the enterprise worldwide, is likely a high number. The default key apparently was inserted into the software for support reasons.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv. An attacker could exploit this vulnerability by obtaining the SSH private key and using it to connect to any WSAv, ESAv, or SMAv. An exploit could allow the attacker to access the system with the privileges of the root user," Cisco said.
Government

Editor of 'Reason' Discusses Federal Subpoena To Unmask Commenters 144 144

Posted by Soulskill
from the apparently-people-say-bad-stuff-on-the-internet dept.
mi points out an article from Nick Gillespie, editor of libertarian website Reason, who was recently asked by the federal government to provide identifying information on anonymous commenters from one of the site's blog posts. Not only was Reason issued a subpoena for the commenters's identities, but they were also placed under a gag order, preventing them from even mentioning it to somebody who wasn't their lawyer. Gillespie says the comments in question were "hyperbolic, in questionable taste–and fully within the norms of Internet commentary." He continues: To the extent that the feds actually thought these were serious plans to do real harm, why the hell would they respond with a slow-moving subpoena whose deadline was days away? By spending five minutes doing the laziest, George Jetson-style online "research" (read: Google and site searches), they would have found publicly available info on some of the commenters. I'm talking things like websites and Google+ pages. One of the commenters had literally posted thousands of comments at Reason.com, from which it is clear that he (assuming it is a he) is not exactly a threat to anyone other than common decency."
Privacy

ICANN Seeks Comment On Limiting Anonymized Domain Registration 86 86

Posted by Soulskill
from the your-computer-is-broadcasting-an-ip-address dept.
angry tapir writes: Privacy advocates are sounding the alarm over a potential policy change (PDF) that would prevent some people from registering website addresses without revealing their personal information. ICANN, the regulatory body that oversees domain names, has asked for public comment on whether it should prohibit the private registration of domains which are "associated with commercial activities and which are used for online financial transactions."
Government

France, Up In Arms Over NSA Spying, Passes New Surveillance Law 80 80

Posted by samzenpus
from the was-that-wrong? dept.
An anonymous reader writes: French President Francois Hollande held an emergency meeting with top security officials to respond to WikiLeaks documents that say the NSA eavesdropped on French presidents. The documents published in Liberation and investigative website Mediapart include material that appeared to capture current president, François Hollande; the prime minister in 2012, Jean-Marc Ayrault; and former presidents Nicolas Sarkozy and Jacques Chirac, talking candidly about Greece's economy and relations with Germany. The Intercept reports: "Yet also today, the lower house of France's legislature, the National Assembly, passed a sweeping surveillance law. The law provides a new framework for the country's intelligence agencies to expand their surveillance activities. Opponents of the law were quick to mock the government for vigorously protesting being surveilled by one of the country's closest allies while passing a law that gives its own intelligence services vast powers with what its opponents regard as little oversight. But for those who support the new law, the new revelations of NSA spying showed the urgent need to update the tools available to France's spies."
Australia

Aussie Telco Caught Handing Over User Mobile Numbers To Websites Without Consent 35 35

Posted by Soulskill
from the upside-down-morals dept.
AlbanX writes: Australian telco Optus has been nabbed passing its customers' mobile phone numbers to third-party websites without the customers' knowledge or consent. The practice, known as HTTP header enrichment, aims to streamline the process of direct billing for customers, but they're not happy. The discovery was made by a user on the telco forum Whirlpool, and Optus confirmed it. They said, "Optus adds our customers' mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites."
Security

Emergency Adobe Flash Patch Fixes Zero-Day Under Attack 71 71

Posted by Soulskill
from the film-at-11 dept.
msm1267 writes: Adobe has released an emergency patch for a Flash zero-day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks. Adobe said Flash Player 18.0.0.161 and earlier for Windows and Macintosh systems are affected, as is 11.2.202.466 for Linux 11.x versions.

The current iteration of Clandestine Fox attacks shares many traits with last year's attacks, including generic, almost spam-like phishing emails intent on snaring as many victims as possible that can be analyzed for their value before additional attacks are carried out. The two campaigns also share the same custom backdoor called SHOTPUT, as well as an insistence on using a throwaway command and control infrastructure.
Security

New Snowden Leaks Show NSA Attacked Anti-Virus Software 98 98

Posted by timothy
from the picking-your-locks-for-your-own-protection dept.
New submitter Patricbranson writes: The NSA, along with its British counterpart Government Communications Headquarters (GCHQ), spent years reverse-engineering popular computer security software in order to spy on email and other electronic communications, according to the classified documents published by the online news site The Intercept. With various countries' spy agencies trying to make sure computers aren't secure (from their own intrusions, at least), it's no wonder that Kaspersky doesn't want to talk about who hacked them.
Google

DOJ Vs. Google: How Google Fights On Behalf of Its Users 78 78

Posted by samzenpus
from the who-has-your-back? dept.
Lauren Weinstein writes: While some companies have long had a "nod and wink" relationship with law enforcement and other parts of government -- willingly turning over user data at mere requests without even attempting to require warrants or subpoenas, it's widely known that Google has long pushed back -- sometimes though multiple layers of courts and legal processes -- against data requests from government that are not accompanied by valid court orders or that Google views as being overly broad, intrusive, or otherwise inappropriate. Over the last few days the public has gained an unusually detailed insight into how hard Google will fight to protect its users against government overreaching, even when this involves only a single user's data. One case reaches back to the beginning of 2011, when the U.S. Department of Justice tried to force Google to turn over more than a year's worth of metadata for a user affiliated with WikiLeaks. While these demands did not include the content of emails, they did include records of this party's email correspondents, and IP addresses he had used to login to his Gmail account. Notably, DOJ didn't even seek a search warrant. They wanted Google to turn over the data based on the lesser "reasonable grounds" standard rather than the "probable cause" standard of a search warrant itself. And most ominously, DOJ wanted a gag order to prevent Google from informing this party that any of this was going on, which would make it impossible for him to muster any kind of legal defense.
Privacy

Louisiana Governor Vetoes License Plate Reader Bill, Citing Privacy Concerns 129 129

Posted by samzenpus
from the stop-watching dept.
An anonymous reader writes: Louisiana Governor Bobby Jindal has vetoed a plan to acquire license plate reading cameras in the state. Law enforcement agencies nationwide use such cameras to scan cars and compare them to a "hot list" of stolen or wanted vehicles. That data is kept for weeks, or even years In some cases. Jindal wrote in a signing statement: "Senate Bill No. 250 would authorize the use of automatic license plate reader camera surveillance programs in various parishes throughout the state. The personal information captured by these cameras, which includes a person’s vehicle location, would be retained in a central database and accessible to not only participating law enforcement agencies but other specified private entities for a period of time regardless of whether or not the system detects that a person is in violation of vehicle insurance requirements. Camera programs such as these that make private information readily available beyond the scope of law enforcement, pose a fundamental risk to personal privacy and create large pools of information belonging to law abiding citizens that unfortunately can be extremely vulnerable to theft or misuse. For these reasons, I have vetoed Senate Bill No. 250 and hereby return it to the Senate."
Government

Swedish Investigators Attempt Assange Interview; Wikileaks Makes Major Release 153 153

Posted by samzenpus
from the to-talk-or-not-to-talk dept.
cold fjord writes: It seems Julian Assange rates his own section (The Assange Matter) on a Swedish government website related to the investigation. It contains some FAQs on points that seem to keep coming up in Slashdot discussions. The website isn't completely up to date at the moment since it doesn't discuss the recent attempt by Swedish investigators to interview Assange in the Ecuadorian embassy in London. Unfortunately that attempt failed since the government of Ecuador didn't give permission to the Swedish delegation to enter their embassy. That is quite odd given the years of demands for this. Concurrent with this, Wikileaks has started releasing what is reported to be more than 500,000 leaked Saudi Arabian diplomatic documents that are sure to stir up some controversies. Most are in Arabic so it may take some time for their contents to filter out.
Transportation

Allstate Patents Physiological Data Collection 142 142

Posted by samzenpus
from the in-measured-hands dept.
TigerPlish writes: Allstate has been granted patent no. US 20140080100 A1 for a "driving-behavior database that it said might be useful for health insurers, lenders, credit-rating agencies, marketers and potential employers." The program is just in the patent stage for now, but the company says: "the invention has the potential to evaluate drivers' physiological data, including heart rate, blood pressure and electrocardiogram signals, which could be recorded from steering wheel sensors." Imagine a world where you are denied employment or credit based on the information obtained from your car and sold by your insurer. What could possibly go wrong?
Crime

Dallas Police Falsely Credit TrapWire System For Arrests 31 31

Posted by timothy
from the for-large-values-of-zero dept.
In April, the Texas Department of Public Safety told a reporter for the Dallas Morning News, inspired by information leaked by Wikileaks to ask about ways that the agency might be compromising citizen's privacy and other rights, that the TrapWire behavioral analysis system employed in combination with surveillance equipment posted at various high-profile locations around the state had resulted in 44 arrests. However, after numerous public records requests for more information about those claimed arrests, the agency admitted that the true figure is somewhat lower: namely, zero. The story naturally involves "millions" of dollars (though an exact figure for the zero-arrest system isn't named), and Austin-based Stratfor, a company that's been named a few times here on Slashdot.
Encryption

Two Years After Snowden Leaks, Encryption Tools Are Gaining Users 69 69

Posted by Soulskill
from the cryptic-response dept.
Patrick O'Neill writes: It's not just DuckDuckGo — since the first Snowden articles were published in June 2013, the global public has increasingly adopted privacy tools that use technology like strong encryption to protect themselves from eavesdroppers as they surf the Web and use their phones. The Tor network has doubled in size, Tails has tripled in users, PGP has double the daily adoption rate, Off The Record messaging is more popular than ever before, and SecureDrop is used in some of the world's top newsrooms.
Education

School Lunch Program Scans Student Thumbprints For 'Tracking Purposes' 141 141

Posted by Soulskill
from the there-ain't-no-such-thing-as-a-free-lunch dept.
schwit1 writes with news that a school district in Pennsylvania is providing free lunches to schoolchildren as part of an initiative to improve nutrition. Instead of providing the lunches to all students without question, they made the program opt-in. Since not all students get the lunches, they needed a way to track who was getting them. Officials decided the best way to do so would be to invest in biometric software that scans students's thumbprints every time they pick up lunch. The data collected by these scanners goes not just to the school district, but to the federal government as well.
Privacy

DuckDuckGo Sees Massive Growth In Post-Snowden World 112 112

Posted by Soulskill
from the gotta-be-careful-typing-that-name dept.
DuckDuckGo, the privacy-oriented search engine, has been around for over six years. But when Edward Snowden revealed the extent of NSA surveillance in 2013, DuckDuckGo started a period of strong growth that hasn't slowed yet. The search engine has seen a 600% increase in traffic over the past two years, and they're now serving 3 billion searches a year. This shouldn't be a surprise — last month, a Pew survey found that 40% of American adults didn't want their search engine to retain information about them. But members of the general public are notoriously slow to change their privacy-related behavior. DuckDuckGo's growing popularity has led them to double their employee count since early 2014, now totaling 28 people. Their success is beginning to fuel speculation about an acquisition, with Apple's name being tossed around as a potential buyer.
Chromium

Google Criticized For 'Opaque' Audio-Listening Binary In Debian Chromium 85 85

Posted by Soulskill
from the ok-google-stop-listening-to-me-breathe dept.
An anonymous reader writes: Google has fallen under criticism for including a compiled audio-monitoring binary in Chromium for Debian. A report was logged at Debian's bug register on Tuesday noting the presence of a non-auditable 'hotword' module in Chromium 43. The module facilitates Google's "OK, Google" functionality, which listens for that phrase via a Chrome user's microphone and attempts afterwards to interpret the user's instructions as a search query. Matt Giuca from the Chromium development team responded after the furore developed, disclaiming Google from any responsibility from auditing Chromium code, but promising clearer controls over the feature in release 45.
Canada

Canadian Government Servers Compromised By Anonymous 79 79

Posted by samzenpus
from the for-your-benefit dept.
An anonymous reader writes: There was a cyber-attack on Wednesday by the activist group Anonymous, aimed at the Canadian government. Public Safety Minister Steven Blaney says no personal information was compromised. Anonymous claimed responsibility for the attack in protest against the recent passing of the government's anti-terror Bill C-51. "Today, Anons around the world took a stand for your rights. Do we trade our privacy for security? Do we bow down and obey what has become totalitarian rule? Don't fool [yourselves]. The Harper regime does not listen to the people, it acts only in [its] best interests." the group wrote in an online post.
Security

E-Detective Spy Tool Used By Police and Governments Has Major Security Holes 64 64

Posted by samzenpus
from the we-got-a-problem dept.
DavidGilbert99 writes: A controversial intercept tool called E-Detective from Taiwanese based company Decision Group has a major security hole which could allow a hacker to remotely execute code and read all the data captured by the software. Considering over 100 law enforcement agencies and governments around the world use E-Detective, this could be a big problem. According to the International Business Times story: "E-Detective works by 'sniffing the network' it is monitoring and captures data packets before sending them to be reassembled and decoded. Unlike other products E-Detective promises to 'reconstruct the data to its original format' for the end users so that it will be seen the same way that it was seen on the network. E-Detective also advertises as a network forensic tool for private enterprises to "protect sensitive data from data leakage".