Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Privacy Vulnerability Exposes VPN Users' Real IP Addresses (thestack.com) 52

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

NSA To End Bulk Phone Surveillance By Sunday (reuters.com) 90

An anonymous reader writes: The White House announced today that the NSA will be shutting down the program responsible for the bulk collection of phone records by the end of tomorrow. The program will be immediately replace with a new, scaled back version as enumerated by the USA Freedom Act. "Under the Freedom Act, the NSA and law enforcement agencies can no longer collect telephone calling records in bulk in an effort to sniff out suspicious activity. Such records, known as "metadata," reveal which numbers Americans are calling and what time they place those calls, but not the content of the conversations. Instead analysts must now get a court order to ask telecommunications companies ... to enable monitoring of call records of specific people or groups for up to six months."

Greenwald: Why the CIA Is Smearing Edward Snowden After Paris Attacks (latimes.com) 270

JoeyRox points out that Glenn Greenwald has some harsh words for the CIA in an op-ed piece for the LA Times. From the article: "Decent people see tragedy and barbarism when viewing a terrorism attack. American politicians and intelligence officials see something else: opportunity. Bodies were still lying in the streets of Paris when CIA operatives began exploiting the resulting fear and anger to advance long-standing political agendas. They and their congressional allies instantly attempted to heap blame for the atrocity not on Islamic State but on several preexisting adversaries: Internet encryption, Silicon Valley's privacy policies and Edward Snowden."

Google Scours 1.2 Million URLs To Conform With EU's "Right To Be Forgotten" Law (engadget.com) 66

An anonymous reader writes: According to a Google report the company has evaluated 1,234,092 URLs from 348,085 requests since the EU's May 2014 "right to be forgotten" ruling, and has removed 42% of those URLs. Engadget reports: "To show how it comes to its decisions, the company shared some of the requests it received and its decisions. For example: a private citizen that was convicted of a serious crime, but had that conviction overturned during appeal, had search results about the crime removed. Meanwhile a high ranking public official in Hungary failed to get the results squelched of a decades-old criminal conviction. Of course, that doesn't mean the system is perfect and the company has already been accused of making mistakes."

Green Light Or No, Nest Cam Never Stops Watching (securityledger.com) 199

chicksdaddy writes: How do you know when the Nest Cam monitoring your house is "on" or "off"? It's simple: just look at the little power indicator light on the front of the device — and totally disregard what it is telling you. The truth is: the Nest Cam is never "off" despite an effort by Nest and its parent Google to make it appear otherwise. That, according to an analysis of the Nest Cam by the firm ABI Research, which found that turning the Nest Cam "off" using the associated mobile application only turns off the LED power indicator light on the front of the device. Under the hood, the camera continues to operate and, according to ABI researcher Jim Mielke, to monitor its surroundings: noting movement, sound and other activity when users are led to believe it has powered down.

Mielke reached that conclusion after analyzing Nest Cam's power consumption. Typically a shutdown or standby mode would reduce current by as much as 10 to 100 times, Mielke said. But the Google Nest Cam's power consumption was almost identical in "shutdown" mode and when fully operational, dropping from 370 milliamps (mA) to around 340mA. The slight reduction in power consumption for the Nest Cam when it was turned "off" correlates with the disabling of the LED power light, given that LEDs typically draw 10-20mA.

In a statement to The Security Ledger, Nest Labs spokesperson Zoz Cuccias acknowledged that the Nest Cam does not fully power down when the camera is turned off from the user interface (UI). "When Nest Cam is turned off from the user interface (UI), it does not fully power down, as we expect the camera to be turned on again at any point in time," Cuccias wrote in an e-mail. "With that said, when Nest Cam is turned off, it completely stops transmitting video to the cloud, meaning it no longer observes its surroundings." The privacy and security implications are serious. "This means that even when a consumer thinks that he or she is successfully turning off this camera, the device is still running, which could potentially unleash a tidal wave of privacy concerns," Mielke wrote.


Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk) 91

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

New IBM Tech Lets Apps Authenticate You Without Personal Data (csoonline.com) 27

itwbennett writes: IBM's Identity Mixer allows developers to build apps that can authenticate users' identities without collecting personal data. Specifically, Identity Mixer authenticates users by asking them to provide a public key. Each user has a single secret key, and it corresponds with multiple public keys, or identities. IBM announced on Friday that Identity Mixer is now available to developers on its Bluemix cloud platform.

Whistleblowers: How NSA Created the 'Largest Failure' In Its History (zdnet.com) 118

An anonymous reader writes: Former NSA whistleblowers contend that the agency shut down a program that could have "absolutely prevented" some of the worst terror attacks in memory. According to the ZDNet story: "Weeks prior to the September 11 terrorist attacks, a test-bed program dubbed ThinThread was shut down in favor of a more expensive, privacy-invasive program that too would see its eventual demise some three years later -- not before wasting billions of Americans' tax dollars. Four whistleblowers, including a congressional senior staffer, came out against the intelligence community they had served, after ThinThread. designed to modernize the agency's intelligence gathering effort, was cancelled. Speaking at the premier of a new documentary film A Good American in New York, which chronicles the rise and demise of the program, the whistleblowers spoke in support of the program, led by former NSA technical director William Binney."

Blackberry Offers 'Lawful Device Interception Capabilities' (itnews.com.au) 137

An anonymous reader writes: Apple and Google have been vocal in their opposition to any kind of government regulation of cell phone encryption. BlackBerry, however, is taking a different stance, saying it specifically supports "lawful interception capabilities" for government surveillance. BlackBerry COO Marty Beard as much at a recent IT summit. He declined to explain how the interception works, but he denied the phones would contain "backdoors" and said governments would have no direct access to BlackBerry servers. The company may see this as a way to differentiate themselves from the competition.

Comcast Xfinity Wi-Fi Discloses Customer Names and Addresses (csoonline.com) 47

itwbennett writes: Despite assurances that only business listings and not customer names and home addresses would appear in the public search results when someone searches for an Xfinity Wi-Fi hotspot, that is exactly what's happened when the service was initiated 2 years ago — and is still happening now, writes CSO's Steve Ragan. And that isn't the only security issue with the service. Another level of exposure centers on accountability. Ken Smith, senior security architect with K Logix in Brookline, Ma., discovered that Comcast is relying on the device's MAC address as a key component of authentication.

Donald Trump Obliquely Backs a Federal Database To Track Muslims 588

HughPickens.com writes: Philip Bump reports at the Washington Post that Donald Trump confirmed to NBC on Thursday evening that he supports a database to track Muslims in the United States. The database of Muslims arose after an interview Yahoo News's Hunter Walker conducted with Trump earlier this week, during which he asked the Republican front-runner to weigh in on the current debate over refugees from Syria. "We're going to have to do things that we never did before," Trump told Walker. "Some people are going to be upset about it, but I think that now everybody is feeling that security is going to rule." When pressed on whether these measures might include tracking Muslim Americans in a database or noting their religious affiliations on identification cards, Trump would not go into detail — but did not reject the options. Trump's reply? "We're going to have to — we're going to have to look at a lot of things very closely," he said. "We're going to have to look at the mosques. We're going to have to look very, very carefully." After an event on in Newton, Iowa, on Thursday night, NBC's Vaughn Hillyard pressed the point. "Should there be a database system that tracks Muslims here in this country?," Hillyard asked. "There should be a lot of systems, beyond databases" Trump said. "We should have a lot of systems." Hillyard asked about implementation, including the process of adding people to the system. "Good management procedures," Trump said. Sign people up at mosques, Hillyard asked? "Different places," Trump replied. "You sign them up at different places. But it's all about management."
The Courts

Judge: Stingrays Are 'Simply Too Powerful' Without Adequate Oversight (arstechnica.com) 111

New submitter managerialslime sends news that an Illinois judge has issued new requirements the government must meet before it can use cell-site simulators, a.k.a. "stingrays," to monitor the communications of suspected criminals. While it's likely to set precedent for pushing back against government surveillance powers, the ruling is specific to the Northern District of Illinois for now. What is surprising is Judge Johnston’s order to compel government investigators to not only obtain a warrant (which he acknowledges they do in this case), but also to not use them when "an inordinate number of innocent third parties’ information will be collected," such as at a public sporting event. This first requirement runs counter to the FBI’s previous claim that it can warrantlessly use stingrays in public places, where no reasonable expectation of privacy is granted. Second, the judge requires that the government "immediately destroy" collateral data collection within 48 hours (and prove it to the court). Finally, Judge Johnston also notes: "Third, law enforcement officers are prohibited from using any data acquired beyond that necessary to determine the cell phone information of the target. A cell-site simulator is simply too powerful of a device to be used and the information captured by it too vast to allow its use without specific authorization from a fully informed court."

File Says NSA Found Way To Replace Email Program (nytimes.com) 93

schwit1 writes: Newly disclosed documents show that the NSA had found a way to create the functional equivalent of programs that had been shut down. The shift has permitted the agency to continue analyzing social links revealed by Americans' email patterns, but without collecting the data in bulk from American telecommunications companies — and with less oversight by the Foreign Intelligence Surveillance Court.

The disclosure comes as a sister program that collects Americans' phone records in bulk is set to end this month. Under a law enacted in June, known as the USA Freedom Act, the program will be replaced with a system in which the NSA can still gain access to the data to hunt for associates of terrorism suspects, but the bulk logs will stay in the hands of phone companies.

The newly disclosed information about the email records program is contained in a report by the NSA's inspector general that was obtained through a lawsuit under the Freedom of Information Act. One passage lists four reasons the NSA decided to end the email program and purge previously collected data. Three were redacted, but the fourth was uncensored. It said that "other authorities can satisfy certain foreign intelligence requirements" that the bulk email records program "had been designed to meet."


Nation-backed Hackers Using Evercookie and Web Analytics To Profile Targets (securityledger.com) 47

chicksdaddy writes: There's such a fine line between clever and criminal. That's the unmistakable subtext of the latest FireEye report on a new "APT" style campaign that's using methods and tools that are pretty much indistinguishable from those used by media websites and online advertisers. The difference? This time the information gathered from individuals is being used to soften up specific individuals with links to international diplomacy, the Russian government, and the energy sector.

The company released a report this week that presented evidence of a widespread campaign (PDF) that combines so-called "watering hole" web sites with a tracking script dubbed "WITCHCOVEN" and Samy Kamkar's Evercookie, the super persistent web tracking cookie. The tools are used to assemble detailed profiles on specific users including the kind of computer they use, the applications and web browsers they have installed, and what web sites they visit.

While the aims of those behind the campaign aren't known, FireEye said the use of compromised web sites and surreptitious tracking scripts doesn't bode well. "While many sites engage in profiling and tracking for legitimate purposes, those activities are typically conducted using normal third-party browser-based cookies and commercial ad services and analytics tools," FireEye wrote in its report. "In this case, while the individuals behind the activity used publicly available tools, those tools had very specific purposes....This goes beyond 'normal' web analytics," the company said.


EU Set To Crack Down On Bitcoin and Anonymous Payments After Paris Attack (thestack.com) 274

An anonymous reader writes: Home affairs ministers from the European Union are set to gather in Brussels for crisis talks in the wake of the Paris attacks, and a crackdown on Bitcoin, pre-paid credit card and other forms of 'anonymous' online payments are on the agenda. From the article: "According to draft conclusions of the meeting, European interior and justice ministers will urge the European Commission (the EU executive arm) to propose measures to strengthen the controls of non-banking payment methods. These include electronic/anonymous payments, virtual currencies and the transfers of gold and precious metals by pre-paid cards."

Chicago Sends More Than 100,000 "Bogus" Camera-Based Speeding Tickets 200

Ars Technica, based on an in-depth report (paywalled) at the Chicago Tribune, says that the city of Chicago has been misusing traffic cameras to trigger automated speeding tickets. In particular, these cameras are placed in places where there are enhanced penalties for speeding, putatively intended to increase child safety. The automated observation system, though, has been used to send well over 100,000 tickets that the Tribune analysis deems "questionable," because they lack the evidence which is supposed to be required -- for instance, many of these tickets are unbacked by evidence of the presence of children, or were issued when the speeding rules didn't apply (next to a park when that park was closed).

How Cisco Is Trying To Prove It Can Keep NSA Spies Out of Its Gear (csoonline.com) 130

itwbennett writes: A now infamous photo [leaked by Edward Snowden] showed NSA employees around a box labeled Cisco during a so-called 'interdiction' operation, one of the spy agency's most productive programs,' writes Jeremy Kirk. 'Once that genie is out of the bottle, it's a hell of job to put it back in,' said Steve Durbin, managing director of the Information Security Forum in London. Yet that's just what Cisco is trying to do, and early next year, the company plans to open a facility in the Research Triangle Park in North Carolina where customers can test and inspect source code in a secure environment. But, considering that a Cisco router might have 30 million lines of code, proving a product hasn't been tampered with by spy agencies is like trying 'to prove the non-existence of god,' says Joe Skorupa, a networking and communications analyst with Gartner.
The Courts

Terrorism Case Challenges FISA Spying (buzzfeed.com) 108

An anonymous reader writes: As we've come to terms with revelations of U.S. surveillance over the past couple years, we've started to see lawsuits spring up challenging the constitutionality of the spying. Unfortunately, it's slow; one of the difficulties is that it's hard to gain standing in court if you haven't been demonstrably harmed. A case before the 9th Circuit Appeals Court is now testing the Foreign Intelligence and Surveillance Act in a big way, and whatever the outcome, it's likely to head to the Supreme Court. The case itself is long and complicated; it centers on a teenager who joined a plot to detonate a huge bomb in Portland, Oregon in 2010, but his co-conspirators turned out to be undercover FBI agents.

The case history is worth a read, and raises questions about entrapment and impressionable kids. However, the issue now being argued in court is simpler: the defendant was a U.S. citizen, and the FBI used FISA powers to access his communications without a warrant. Crucially, they failed to notify the defendant of this before trial — something they're legally required to do. This gives him and his lawyers standing to challenge the constitutionality of the law in the first place. It's a difficult puzzle, with no clear answer, but oral arguments could begin as soon as January for one of the most significant cases yet to challenge the U.S. government's surveillance of its own citizens.


Snowden Says It's Your Duty To Use an Ad Blocker (for Security) 342

AmiMoJo writes: In a long interview about reclaiming your privacy online, ex-NSA whistleblower Edward Snowden states that it's not just a good idea to use ad blocking software, it's your duty: "Everybody should be running adblock software, if only from a safety perspective. We've seen internet providers like Comcast, AT&T, or whoever it is, insert their own ads into your plaintext http connections. As long as service providers are serving ads with active content that require the use of JavaScript to display, that have some kind of active content like Flash embedded in it, anything that can be a vector for attack in your web browser — you should be actively trying to block these. Because if the service provider is not working to protect the sanctity of the relationship between reader and publisher, you have not just a right but a duty to take every effort to protect yourself in response." Other recommendations include encrypting your hard drive and using Tor to keep your internet use private.
United Kingdom

UK PM Wants To Speed Up Controversial Internet Bill After Paris Attacks (thestack.com) 167

An anonymous reader writes: Less than three days after the attacks in Paris, UK prime minister David Cameron has suggested that the process of review for the controversial Draft Investigatory Powers Bill should be accelerated. The controversial proposal, which would require British ISPs to retain a subset of a user's internet history for a year and in effect outlaw zero-knowledge encryption in the UK, was intended for parliamentary review and ratification by the end of 2016, but at the weekend ex-terrorist watchdog Lord Carlile was in the vanguard of demands to speed the bill into law by the end of this year, implicitly criticizing ex-NSA whistleblower Edward Snowden for having 'shown terrorists ways to hide their electronic footprints'.