United States

Researchers Tie Regin Malware To NSA, Five Eyes Intel Agencies 60

Posted by timothy
from the which-wolves-and-which-sheep dept.
Trailrunner7 writes Researchers at Kaspersky Lab have discovered shared code and functionality between the Regin malware platform and a similar platform described in a newly disclosed set of Edward Snowden documents 10 days ago by Germany's Der Spiegel. The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together. "Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together," wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov today in a published report. (Here is the Spiegel article.)
Privacy

DEA Cameras Tracking Hundreds of Millions of Car Journeys Across the US 101

Posted by Soulskill
from the you-can-trust-us dept.
itwbennett writes: A U.S. Drug Enforcement Administration program set up in 2008 to keep tabs on cars close to the U.S.-Mexican border has been gradually expanded nationwide and is regularly used by other law enforcement agencies in their hunt for suspects. The extent of the system, which is said to contain hundreds of millions of records on motorists and their journeys, was disclosed in documents obtained by the American Civil Liberties Union as part of a Freedom of Information Act request.
Electronic Frontier Foundation

EFF Unveils Plan For Ending Mass Surveillance 200

Posted by Soulskill
from the hopeful-but-doubtful dept.
An anonymous reader writes: The Electronic Frontier Foundation has published a detailed, global strategy for ridding ourselves of mass surveillance. They stress that this must be an international effort — while citizens of many countries can vote against politicians who support surveillance, there are also many countries where the citizens have to resort to other methods. The central part of the EFF's plan is: encryption, encryption, encryption. They say we need to build new secure communications tools, pressure existing tech companies to make their products secure against everyone, and get ordinary internet-goers to recognize that encryption is a fundamental part of communication in the surveillance age.

They also advocate fighting for transparency and against overreach on a national level. "[T]he more people worldwide understand the threat and the more they understand how to protect themselves—and just as importantly, what they should expect in the way of support from companies and governments—the more we can agitate for the changes we need online to fend off the dragnet collection of data." The EFF references a document created to apply the principles of human rights to communications surveillance, which they say are "our way of making sure that the global norm for human rights in the context of communication surveillance isn't the warped viewpoint of NSA and its four closest allies, but that of 50 years of human rights standards showing mass surveillance to be unnecessary and disproportionate."
Privacy

Omand Warns of "Ethically Worse" Spying If Unbreakable Encryption Is Allowed 374

Posted by samzenpus
from the don't-make-it-hard-for-us dept.
Press2ToContinue writes In their attempts to kill off strong encryption once and for all, top officials of the intelligence services are coming out with increasingly hyperbolic statements about why this should be done. Now, a former head of GCHQ, Sir David Omand has said: "One of the results of Snowden is that companies are now heavily encrypting [communications] end to end. Intelligence agencies are not going to give up trying to get the bad guys. They will have to get closer to the bad guys. I predict we will see more close access work." According to The Bureau of Investigative Journalism, which reported his words from a talk he gave earlier this week, by this he meant things like physical observation, bugging rooms, and breaking into phones or computers. "You can say that will be more targeted but in terms of intrusion into personal privacy — collateral intrusion into privacy — we are likely to end up in an ethically worse position than we were before." That's remarkable for its implied threat: if you don't let us ban or backdoor strong encryption, we're going to start breaking into your homes.
Security

Ed Felten: California Must Lead On Cybersecurity 79

Posted by timothy
from the so-goes-the-nation dept.
An anonymous reader writes In a Sacramento Bee op-ed, (in)famous computer security researcher Ed Felten responds to the State of the Union cybersecurity proposal. He doesn't mince words: "The odds of clearing Congress: low. The odds of materially improving security: even lower. "What he suggests as an alternative, though, is a surprise. "California," he writes, "could blaze a trail for effective cybersecurity policy." He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts. It's an interesting idea. Even if it doesn't go anywhere, at least it's some fresh thinking in this area of backward policy. From Felten's essay: Critical infrastructure increasingly relies on industrial automation systems. And those systems are often vulnerable – they keep a default password, for instance, or are accessible from the public Internet. These are not subtle or sophisticated errors. Fixing them requires basic due diligence, not rocket science. Requiring the state’s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive – especially relative to the enormous risks. Areas of sensitive data are also low-hanging cyber fruit. In health care, education and finance, California already imposes security and privacy requirements that go beyond federal law. Those legal mandates, though, are mostly enforced through after-the-fact penalties. Much like critical infrastructure, sectors that rely upon sensitive data would benefit from periodic outside auditing. Of any state government's, California's policies also have the chance to help (or harm) the most people: nearly 39 million people, according to a 2014 U.S. Census estimate.
Communications

WhatsApp vs. WhatsApp Plus Fight Gets Ugly For Users 190

Posted by timothy
from the for-your-convenience-we-have-disabled-convenience dept.
BarbaraHudson writes WhatsApp is locking out users for 24 hours who use WhatsApp Plus to access the service. The company claims they brought in the temporary ban to make users aware that they are not using the correct version and their privacy could be comprised using the unofficial WhatsApp Plus. "Starting today, we are taking aggressive action against unauthorized apps and alerting the people who use them." Is this a more aggressive rerun of "This site best viewed with Internet Explorer"?
Privacy

China Cuts Off Some VPNs 205

Posted by timothy
from the we-see-what-you-did-there dept.
jaa101 writes The Register (UK) and the Global Times (China) report that foreign VPN services are unavailable in China. A quote sourced to "one of the founders of an overseas website which monitors the Internet in China" claimed 'The Great Firewall is blocking the VPN on the protocol level. It means that the firewall does not need to identify each VPN provider and block its IP addresses. Rather, it can spot VPN traffic during transit and block it.' An upgrade of the Great Firewall of China is blamed and China appears to be backing the need for the move to maintain cyberspace sovereignty.
Encryption

Data Encryption On the Rise In the Cloud and Mobile 83

Posted by Soulskill
from the setting-a-standard dept.
dkatana writes: Overall, demand for encryption is growing. Cloud encryption services provider CipherCloud recently received a $50 million investment by Deutsche Telekom, which the company said positions it for "explosive growth" this year. The services are designed to allow corporations to benefit from the cost savings and elasticity of cloud-based data storage, while ensuring that sensitive information is protected.

Now, both Apple and Google are providing full encryption as a default option on their mobile operating systems with an encryption scheme they are not able to break themselves, since they don't hold the necessary keys.

Some corporations have gone as far as turning to "zero-knowledge" services, usually located in countries such as Switzerland. These services pledge that they have no means to unlock the information once the customer has entered the unique encryption keys. This zero-knowledge approach is welcomed by users, who are reassured that their information is impossible to retrieve — at least theoretically — without their knowledge and the keys.
China

Apple Agrees To Chinese Security Audits of Its Products 114

Posted by samzenpus
from the looking-behind-the-curtain dept.
itwbennett writes According to a story in the Beijing News, Apple CEO Tim Cook has agreed to let China's State Internet Information Office to run security audits on products the company sells in China in an effort to counter concerns that other governments are using its devices for surveillance. "Apple CEO Tim Cook agreed to the security inspections during a December meeting in the U.S. with information office director Lu Wei, according to a story in the Beijing News. China has become one of Apple’s biggest markets, but the country needs assurances that Apple devices like the iPhone and iPad protect the security and privacy of their users as well as maintain Chinese national security, Lu told Cook, according to an anonymous source cited by the Beijing News."
Crime

Dish Network Violated Do-Not-Call 57 Million Times 237

Posted by samzenpus
from the please-stop-calling dept.
lightbox32 writes Dish Network has been found guilty of violating the Do Not Call list on 57 million separate occasions. They were also found liable for abandoning or causing telemarketers to abandon nearly 50 million outbound telephone calls, in violation of the abandoned-call provision of the Federal Trade Commission's Telemarketing Sales Rule. Penalties for infringing on the Do Not Call list can be up to a whopping $16,000 for each outbound call.
The Internet

Calls For European ISPs To Filter Content Could Be Illegal 60

Posted by samzenpus
from the government-knows-best dept.
jfruh writes Last week, justice ministers from EU countries called for ISPs to censor or block certain content in the "public interest." But a legal analysis shows that such moves could actually violate EU privacy laws, since it would inevitably involve snooping on the content of Internet traffic to see what should be blocked.
Advertising

Healthcare.gov Sends Personal Data To Over a Dozen Tracking Websites 203

Posted by Soulskill
from the a-bit-too-standard dept.
An anonymous reader tips an Associated Press report saying that Healthcare.gov is sending users' personal data to private companies. The information involved is typical ad-related analytic data: "...it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address when combined with other information collected by sophisticated online marketing or advertising firms." The Electronic Frontier Foundation confirmed the report, saying that data is being sent from Healthcare.gov to at least 14 third-party domains.

The EFF says, "Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are. It could do all this based on a tracking cookie that it sets which would be the same across any site you visit. Based on this data, Doubleclick could start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker. Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences such as when Target notified a woman's family that she was pregnant before she even told them. "
Privacy

Police Nation-Wide Use Wall-Penetrating Radars To Peer Into Homes 290

Posted by timothy
from the shoot-anything-that-looks-like-a-blob dept.
mi writes At least 50 U.S. law enforcement agencies have secretly equipped their officers with radar devices that allow them to effectively peer through the walls of houses to see whether anyone is inside. The device the Marshals Service and others are using, known as the Range-R, looks like a sophisticated stud-finder. Its display shows whether it has detected movement on the other side of a wall and, if so, how far away it is — but it does not show a picture of what's happening inside. The Range-R's maker, L-3 Communications, estimates it has sold about 200 devices to 50 law enforcement agencies at a cost of about $6,000 each. Other radar devices have far more advanced capabilities, including three-dimensional displays of where people are located inside a building, according to marketing materials from their manufacturers. One is capable of being mounted on a drone. And the Justice Department has funded research to develop systems that can map the interiors of buildings and locate the people within them.
Communications

FBI Seeks To Legally Hack You If You're Connected To TOR Or a VPN 382

Posted by timothy
from the well-you-look-guilty-from-here dept.
SonicSpike writes The investigative arm of the Department of Justice is attempting to short-circuit the legal checks of the Fourth Amendment by requesting a change in the Federal Rules of Criminal Procedure. These procedural rules dictate how law enforcement agencies must conduct criminal prosecutions, from investigation to trial. Any deviations from the rules can have serious consequences, including dismissal of a case. The specific rule the FBI is targeting outlines the terms for obtaining a search warrant. It's called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants where computers have been intentionally damaged (such as through botnets, but also through common malware and viruses) and are in five or more separate federal judicial districts. Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court's jurisdiction.
Cellphones

Moscow To Track Cell-phone Users In 2015 For Traffic Analysis 63

Posted by timothy
from the why-do-you-hate-freedom? dept.
An anonymous reader links to this story at The Stack (based on this translated report) that "The Moscow authorities will begin using the signal from Muscovites' cell-phones in 2015 to research patterns of traffic and points of congestion, with a view to changes in travel infrastructure including roads, the Moscow metro and bus services. The tracking, which appears to opt all users in unilaterally, promises not to identify individual cell-phone numbers, and will use GSM in most cases, but also GPS in more densely-constructed areas of the old city. The system is already in limited use on the roads, but will be extended to pedestrians and subway users in 2015. The city of 11.5 million people has three main cell providers, all of whom cooperate fully with authorities' request for information. A representative of one, Beeline, said: "We prepare reports that detail where our subscribers work, live, move, and other aspects."
Programming

Interviews: Alexander Stepanov and Daniel E. Rose Answer Your Questions 42

Posted by samzenpus
from the read-all-about-it dept.
samzenpus (5) writes "Alexander Stepanov is an award winning programmer who designed the C++ Standard Template Library. Daniel E. Rose is a programmer, research scientist, and is the Chief Scientist for Search at A9.com. In addition to working together, the duo have recently written a new book titled, From Mathematics to Generic Programming. Earlier this month you had a chance to ask the pair about their book, their work, or programming in general. Below you'll find the answers to those questions."
Privacy

Being Pestered By Drones? Buy a Drone-Hunting Drone 151

Posted by timothy
from the you'll-also-want-a-drone-hunting-drone-hunting-drone dept.
schwit1 writes, "Are paparazzi flying drones over your garden to snap you sunbathing? You may need the Rapere, the drone-hunting drone which uses 'tangle-lines' to quickly down its prey." From The Telegraph's article: It has been designed to be faster and more agile than other drones to ensure that they can't escape - partly by limiting flight time and therefore reducing weight. “Having worked in the UAS industry for years, we've collectively never come across any bogus use of drones. However it's inevitable that will happen, and for people such as celebrities, where there is profit to be made in illegally invading their privacy, there should be an option to thwart it,” the group say on their website. This seems more efficient than going after those pesky paparazzi drones with fighting kites (video), but it should also inspire some skepticism: CNET notes that the team behind it is anonymous, and that "Rapere works in a lab setting, however there aren't any photos or videos of the killer drone in action. The website instead has only a slideshow of the concept."
Communications

Feds Operated Yet Another Secret Metadata Database Until 2013 102

Posted by timothy
from the problem-with-authority dept.
A story at Ars Technica describes yet another Federal database of logged call details maintained by the Federal government which has now come to light, this one maintained by the Department of Justice rather than the NSA, and explains how it came to be discovered: [A] three-page partially-redacted affidavit from a top Drug Enforcement Agency (DEA) official, which was filed Thursday, explained that the database was authorized under a particular federal drug trafficking statute. The law allows the government to use "administrative subpoenas" to obtain business records and other "tangible things." The affidavit does not specify which countries records were included, but specifically does mention Iran. ... This database program appears to be wholly separate from the National Security Agency’s metadata program revealed by Edward Snowden, but it targets similar materials and is collected by a different agency. The Wall Street Journal, citing anonymous sources, reported Friday that this newly-revealed program began in the 1990s and was shut down in August 2013. From elsewhere in the article: "It’s now clear that multiple government agencies have tracked the calls that Americans make to their parents and relatives, friends, and business associates overseas, all without any suspicion of wrongdoing," [said ACLU lawyer Patrick Toomey]. "The DEA program shows yet again how strained and untenable legal theories have been used to secretly justify the surveillance of millions of innocent Americans using laws that were never written for that purpose."
Communications

Obama: Gov't Shouldn't Be Hampered By Encrypted Communications 562

Posted by timothy
from the some-animals-more-equal-than-others-by-jingo dept.
According to an article at The Wall Street Journal, President Obama has sided with British Prime Minister David Cameron in saying that police and government agencies should not be blocked by encryption from viewing the content of cellphone or online communications, making the pro-spying arguments everyone has come to expect: “If we find evidence of a terrorist plot and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem,” Obama said. He said he believes Silicon Valley companies also want to solve the problem. “They’re patriots.” ... The president on Friday argued there must be a technical way to keep information private, but ensure that police and spies can listen in when a court approves. The Clinton administration fought and lost a similar battle during the 1990s when it pushed for a “clipper chip” that would allow only the government to decrypt scrambled messages.
Advertising

Micromax Remotely Installing Unwanted Apps and Showing Ads 50

Posted by timothy
from the what-will-you-tolerate dept.
jones_supa (887896) writes "Reports are coming in that users of certain devices by Indian phone manufacturer Micromax noticed apps being silently installed without their consent or permission. Uninstalling these apps won't help, as they will be automatically reinstalled. Alternatively, instead of downloading apps, the phone might litter the UI with stack of notifications which are advertisements for online stores and other apps. It turns out that the "System Update" application is responsible for all of this. When starting to tear down the application (which is actually called FWUpgrade.apk on the filesystem), the first thing you notice is that it's a third-party application. A Chinese company named Adups developed it as a replacement for the stock Google OTA service. The article shows the potential abilities of this app and how Micromax customers can work around the disruptive behavior."