Twitter

Twitter Suspends 300,000 Accounts Tied To Terrorism In 2017 (bloomberg.com) 69

According to a new transparency report, Twitter said it suspended nearly 300,000 accounts globally linked to terrorism in the first half of the year. The company is improving automation tools used to help block accounts that promote terrorism and violence. Bloomberg reports: Of [the nearly 300,000 accounts that were suspended], roughly 95 percent were identified by the company's spam-fighting automation tools. Meanwhile, the social network said government data requests continued to increase, and that it provided authorities with data on roughly 3,900 accounts from January to June. Twitter said about 75 percent of the blocked accounts this year were spotted before a single tweet was sent, and that 935,897 accounts had been suspended since August 2015, with two-thirds of those coming in the past year. American authorities made 2,111 requests from Twitter from January to June, the most of the 83 countries tracked by the company. Twitter supplied information on users in 77 percent of the inquiries. Japan made 1,384 requests and the U.K. issued 606 requests. Turkish authorities continued a trend of aggressively policing Twitter, making 554 requests for account data and issuing court orders to remove 715 pieces of content. Other governments made only 38 total content-removal requests.
Encryption

Why You Shouldn't Use Texts For Two-Factor Authentication (theverge.com) 100

An anonymous reader quotes a report from The Verge: A demonstration video posted by Positive Technologies (and first reported by Forbes) shows how easy it is to hack into a bitcoin wallet by intercepting text messages in transit. The group targeted a Coinbase account protected by two-factor authentication, which was registered to a Gmail account also protected by two-factor. By exploiting known flaws in the cell network, the group was able to intercept all text messages sent to the number for a set period of time. That was enough to reset the password to the Gmail account and then take control of the Coinbase wallet. All the group needed was the name, surname and phone number of the targeted Bitcoin user. These were security researchers rather than criminals, so they didn't actually steal anyone's bitcoin, although that would have been an easy step to take. At a glance, this looks like a Coinbase vulnerability, but the real weakness is in the cellular system itself. Positive Technologies was able to hijack the text messages using its own research tool, which exploits weaknesses in the cellular network to intercept text messages in transit. Known as the SS7 network, that network is shared by every telecom to manage calls and texts between phone numbers. There are a number of known SS7 vulnerabilities, and while access to the SS7 network is theoretically restricted to telecom companies, hijacking services are frequently available on criminal marketplaces. The report notes of several ways you can protect yourself from this sort of attack: "On some services, you can revoke the option for SMS two-factor and account recovery entirely, which you should do as soon as you've got a more secure app-based method established. Google, for instance, will let you manage two-factor and account recovery here and here; just set up Authenticator or a recovery code, then go to the SMS option for each and click 'Remove Phone.'"
Bitcoin

Ethereum Will Match Visa In Scale In a 'Couple of Years,' Says Founder (techcrunch.com) 110

Ethereum's founder, Vitalik Buterin, believes that his cryptocurrency has the potential to replace things like credit card networks and gaming servers. He even goes as far to say that Ethereum will replace Visa in "a couple of years," though he later clarified that "ethereum *will have Visa-scale tx capacity*, not that it will 'replace Visa.'" TechCrunch reports: "There's the average person who's already heard of bitcoin and the average person who hasn't," he said. His project itself builds upon that notion by adding more utility to the blockchain, thereby creating something everyone will want to hear about. "Where Ethereum comes from is basically you take the idea of crypto economics and the kinds of economic incentives that keeps things like bitcoin going to create decentralized networks with memory for a whole bunch of applications," he said. "A good blockchain application is something that needs decentralization and some kind of shared memory." That's what he's building and hopes others will build on the Ethereum network.

Right now the network is a bit too slow for most mainstream applications. "Bitcoin is processing a bit less than 3 transactions per second," he said. "Ethereum is doing five a second. Uber gives 12 rides a second. It will take a couple of years for the blockchain to replace Visa." Buterin doesn't think everything should run on the blockchain but many things can. As the technology expands it can grow to replace many services that require parallelization -- that is programs that should run at the same time.

Communications

T-Mobile To Increase Deprioritization Threshold To 50GB This Week (tmonews.com) 67

After raising its deprioritization threshold to 32GB in May, it looks like T-Mobile will bump it up to 50GB on September 20th, according to a TmoNews source. The move will widen the gap between T-Mobile and its competition. For comparison, Sprint's deprioritization threshold is currently 23GB, while AT&T and Verizon's are both 22GB. TmoNews reports: It's said that this 50GB threshold won't change every quarter and no longer involves a specific percentage of data users. As with the current 32GB threshold, customers that exceed this new 50GB deprioritization threshold in a single month may experience reduced speeds in areas where the network is congested. T-Mobile hasn't issued an announcement regarding this news, but the official @TMobileHelp account recently tweeted "Starting 9/20, the limit will be increased!" in response to a question about this news.
AI

AI Just Made Guessing Your Password a Whole Lot Easier (sciencemag.org) 132

sciencehabit shares a report from Science Magazine: The Equifax breach is reason for concern, of course, but if a hacker wants to access your online data by simply guessing your password, you're probably toast in less than an hour. Now, there's more bad news: Scientists have harnessed the power of artificial intelligence (AI) to create a program that, combined with existing tools, figured more than a quarter of the passwords from a set of more than 43 million LinkedIn profiles.

Researchers at Stevens Institute of Technology in Hoboken, New Jersey, started with a so-called generative adversarial network, or GAN, which comprises two artificial neural networks. A "generator" attempts to produce artificial outputs (like images) that resemble real examples (actual photos), while a "discriminator" tries to detect real from fake. They help refine each other until the generator becomes a skilled counterfeiter. The Stevens team created a GAN it called PassGAN and compared it with two versions of hashCat and one version of John the Ripper. The scientists fed each tool tens of millions of leaked passwords from a gaming site called RockYou, and asked them to generate hundreds of millions of new passwords on their own. Then they counted how many of these new passwords matched a set of leaked passwords from LinkedIn, as a measure of how successful they'd be at cracking them. On its own, PassGAN generated 12% of the passwords in the LinkedIn set, whereas its three competitors generated between 6% and 23%. But the best performance came from combining PassGAN and hashCat. Together, they were able to crack 27% of passwords in the LinkedIn set, the researchers reported this month in a draft paper posted on arXiv. Even failed passwords from PassGAN seemed pretty realistic: saddracula, santazone, coolarse18.

Medicine

Sedentary Lifestyle Study Called 'A Raging Dumpster Fire' (arstechnica.com) 153

Ars Technica's health reporter argues that a new study suggesting sitting will kill you "is kind of a raging dumpster fire. It's funded by Big Soda and riddled with weaknesses -- including not measuring sitting." An anonymous reader quotes this report: Let's start with the money: It was funded in part by Coca-Cola... [I]t's hard to look past the fact that this is exactly the type of health and nutrition research Coke wants. In fact, Coca-Cola secretly spent $1.5 million to fund an entire network of academic researchers whose goal was to shift the national health conversation away from the harms of sugary beverages. Instead, their research focused on the benefits of exercise -- i.e., the health risks of sedentary and inactive lifestyles. The research network disbanded after The New York Times published an investigation on the network's funding in 2015...

It didn't actually measure sitting... In their words, "Our study has several limitations. First, the Actical accelerometer cannot distinguish between postures (such as sitting vs. standing); thus, we relied on an intensity-only definition of sedentary behavior." The "intensity-only" definition of sedentary behavior is based on metabolic equivalents, basically units defined by how much oxygen a person uses up doing various activities. But those definitions are also not cut and dried. There are no clear lines between lying down, sitting, standing in place, or light movement... Then there's the participant data: It's not representative -- like, at all... At the time of wearing the accelerometer, the most active group's mean age was 65. The mean age of the least active group: 75.

Groups were assigned based on just a week's worth of data -- or less. And the people placed in the least-active group were already more likely to be smokers, to have diabetes and hypertension, and to have a history of coronary heart disease and stroke.
Government

NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack (ltsnet.net) 53

Slashdot reader eatvegetables writes: The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.

This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).

Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.

Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.

A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.
Social Networks

Facebook Shares Details Of Russia-Bought Ads With US Investigators (cnn.com) 232

An anonymous reader quotes CNN: Special counsel Robert Mueller and his team are now in possession of Russian-linked ads run on Facebook during the presidential election, after they obtained a search warrant for the information. Facebook gave Mueller and his team copies of ads and related information it discovered on its site linked to a Russian troll farm, as well as detailed information about the accounts that bought the ads and the way the ads were targeted at American Facebook users, a source with knowledge of the matter told CNN. The disclosure, first reported by the Wall Street Journal, may give Mueller's office a fuller picture of who was behind the ad buys and how the ads may have influenced voter sentiment during the 2016 election...

As CNN reported Thursday, Facebook is still not sure whether pro-Kremlin groups may have made other ad buys intended to influence American politics that it simply hasn't discovered yet. It is even possible that unidentified ad buys may still exist on the social media network today.

Networking

Scientists Explore A Light Bulb-Based Based 10Gbps Li-Fi/5G Home Network (ispreview.co.uk) 12

Mark.JUK writes: Researchers at Brunel University in London have begun to develop a new 10 Gbps home wireless network using both Li-Fi (light fidelity) and 5G based mmWave technology, which will fit inside LED (light-emitting diode) light bulbs on your ceiling.

In simple terms, the Visible Light Communication (VLC) based Li-Fi technology works by flicking a LED light off and on thousands of times a second (by altering the length of the flickers you can introduce digital communications).

The article says it'd be more energy efficient (and faster) than a standard Wi-Fi network -- though both technologies have trouble penetrating walls, so "you'd have to buy lots of pricey new bulbs in order to cover your home..."

"It's probably not something that an ordinary home owner would want to install; unless you're happy with running lots of optical fibre cable around your various light fittings."
Verizon

8,500 Verizon Customers Disconnected Because of 'Substantial' Data Use (arstechnica.com) 105

An anonymous reader quotes a report from Ars Technica: Verizon is disconnecting another 8,500 rural customers from its wireless network, saying that roaming charges have made certain customer accounts unprofitable for the carrier. The 8,500 customers have 19,000 lines and live in 13 states (Alaska, Idaho, Iowa, Indiana, Kentucky, Maine, Michigan, Missouri, Montana, North Carolina, Oklahoma, Utah, and Wisconsin), a Verizon Wireless spokesperson told Ars today. They received notices of disconnection this month and will lose access to Verizon service on October 17. Verizon said in June that it was only disconnecting "a small group of customers" who were "using vast amounts of data -- some as much as a terabyte or more a month -- outside of our network footprint." But one customer, who contacted Ars this week about being disconnected, said her family never used more than 50GB of data across four lines despite having an "unlimited" data plan. We asked Verizon whether 50GB a month is a normal cut-off point in its disconnections of rural customers, but the company did not provide a specific answer. "These customers live outside of areas where Verizon operates our own network," Verizon said. "Many of the affected consumer lines use a substantial amount of data while roaming on other providers' networks and the roaming costs generated by these lines exceed what these consumers pay us each month. We sent these notices in advance so customers have plenty of time to choose another wireless provider."
Security

BlueBorne Vulnerabilities Impact Over 5 Billion Bluetooth-Enabled Devices (bleepingcomputer.com) 121

An anonymous reader quotes a report from Bleeping Computer: Security researchers have discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. Researchers say the vulnerabilities are undetectable and unstoppable by traditional security solutions. No user interaction is needed for an attacker to use the BleuBorne flaws, nor does the attacker need to pair with a target device. They affect the Bluetooth implementations in Android, iOS, Microsoft, and Linux, impacting almost all Bluetooth device types, from smartphones to laptops, and from IoT devices to smart cars. Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company's network or even across the world. "These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date," an Armis spokesperson told Bleeping Computer via email. "Previously identified flaws found in Bluetooth were primarily at the protocol level," he added. "These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device." Consumers are recommended to disable Bluetooth unless you need to use it, but then turn it off immediately. When a patch or update is issued and installed on your device, you should be able to turn Bluetooth back on and leave it on safely. The BlueBorne Android App on the Google Play Store will be able to determine if a user's Android device is vulnerable. A technical report on the BlueBorne flaws is available here (PDF).
Businesses

The New Corporate Recruitment Pool: Workers In Dead-End Jobs (msn.com) 207

New submitter cdreimer writes: According a report from The Wall Street Journal (Warning: source may be paywalled, alternative source), corporations looking to hire new employees are opening offices in cities with high concentration of workers in dead-end jobs who are reluctant to locate but are cheaper to hire than competing locally in tight labor markets. From the report: "Pressed for workers, a New Jersey-based software company went hunting for a U.S. city with a surplus of talented employees stuck in dead-end jobs. Brian Brown, chief operating officer at AvePoint, Inc., struck gold in Richmond. Despite the city's low unemployment rate, the company had no trouble filling 70 jobs there, some at 20% below what it paid in New Jersey. New hires, meanwhile, got more interesting work and healthy raises. Irvine, Calif.-based mortgage lender Network Capital Funding Corp. opened an office in Miami to scoop up an attractive subset of college graduates -- those who settled for tolerable jobs in exchange for living in a city they loved. 'They were not in real careers,' said Tri Nguyen, Network Capital chief executive. He now plans a similar expansion in Philadelphia. Americans have traditionally moved to find jobs. But with a growing reluctance by workers to relocate, some companies have decided to move closer to potential hires. Firms are expanding to cities with a bounty of underemployed, retrieving men and women from freelance gigs, manual labor and part-time jobs with duties that, one worker said, required only a heartbeat to perform. With the national jobless rate near a 16-year low, these pockets of underemployment are a wellspring for companies that recognize most new hires already have jobs but can be poached with better pay and room for advancement. That's preferable to competing for higher-priced workers at home in a tight labor market."
China

China Builds World's Largest EV Charging Network With 167,000 Stations (247wallst.com) 103

"It soon will become easier to charge a Chevy Bolt or Tesla in China," reports 24/7 Wall Street, citing reports from China's official newspaper that they've built the highest number of electric-car charging facilities in the world, offering "the broadest coverage, and the most advanced technology." AmiMoJo quotes their announcement: A total of 167,000 charging piles have now been connected to the telematics platform of the State Grid Corporation of China, making it the world's largest electric vehicle (EV) charging network. By cooperating with 17 charging station operators, the SGCC now offers more than 1 million kilowatt-hours of power each day.
24/7 Wall Street says the ambitious (and government-subsidized) plan "is bound to help electronic car adoption since most vehicles in the category have ranges well under 300 miles."
Social Networks

Why It's So Hard To Trust Facebook (cnn.com) 139

Brian Stelter, writing for CNN: Why won't Facebook show the public the propagandistic ads that a so-called Russian troll farm bought last year to target American voters? That lack of transparency is troubling to many observers. "Show us the ads Zuck!" Silicon Valley entrepreneur Jason Calacanis wrote on Twitter when The Washington Post reported on the surreptitious ad buys on Wednesday. Calacanis said Facebook was "profiting off fake news," echoing a widely held criticism of the social network. It was only the latest example of Facebook's credibility problem. For a business based on the concept of friendship, it's proving to be a hard company to trust. On the business side, Facebook's metrics for advertisers have been error-prone, to say the least. Analysts and reporters have repeatedly uncovered evidence of faulty data and measurement mistakes. Facebook's opaqueness has also engendered mistrust in the political arena. Conservative activists have accused the company of censoring right-wing voices and stories. Liberal activists have raised alarms about its exploitation of personal information to target ads. And the news business is worried about the spread of bogus stories and hoaxes on the site. Some critics have even taken to calling Facebook a "surveillance company," seeking to reframe the business the social network is in -- not networking but ad targeting based on monitoring of users. Over at The Verge, Casey Newton documents inconsistencies in Facebook's public remarks over its role in the outcome of the presidential election last year. Newton says Facebook's shifting Russian ads stories and unwillingness to disclose information citing laws (which seem to imply otherwise) are damaging its credibility.
Businesses

Google Is Apparently Ready To Buy Smartphone Maker HTC (cnbc.com) 102

According to a Taiwanese news outlet called Commercial Times, Google is in the final stages of acquiring all or part of smartphone maker HTC. CNBC reports: The report seems fishy, since Google has already been down this road, but there's a reason why Google might be interested in HTC. The Taiwanese company builds the Google Pixel, which means it could be a good fit for Google as it continues to cater to consumers with its "Pixel" smartphone brand. Here's where it sounds off base: Google acquired Motorola Mobility and then sold it off just a couple of years later. Why repeat that move? Commercial Times said HTC's poor financial position and Google's desire to "perfect [the] integration of software, content, hardware, network, cloud, [and] AI," is the driving force behind Google's interest. The news outlet said Google may make a "strategic investment" or "buy HTC's smartphone R&D team" which suggests that the VR team would exist as its own.
Android

Android Oreo Bug Eats Up Mobile Data Even When On Wi-Fi (betanews.com) 89

Mark Wilson shares a report from BetaNews: An apparent bug with Android Oreo has been discovered which means Google's mobile operating system could be munching its way through your data allowance, even if you're connected to a wireless network. A thread on Reddit highlighted the issue, with many people pointing out that it could prove expensive for anyone not using an unlimited data plan. Google is apparently aware of the problem and is working on a patch, but in the meantime Oreo users are being warned to consider disabling mobile data when they are at home or using a wireless connection elsewhere.
Security

Over 28 Million Records Stolen In Breach of Latin American Social Network Taringa (thehackernews.com) 16

Taringa, also known as "The Latin American Reddit," has been compromised in a massive data breach that has resulted in the leaked login credentials of almost all of its over 28 million users. The Hackers News reports: The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users. The hashed passwords use an ageing algorithm called MD5 -- which has been considered outdated even before 2012 -- that can easily be cracked, making Taringa users open to hackers. Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days. The data breach reportedly occurred last month, and the company then alerted its users via a blog post: "It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says. "At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."
Privacy

Two-Thirds of Tech Workers Now Use a VPN, Survey Finds (9to5mac.com) 87

An anonymous reader shares a report: According to a survey, 65% of U.S. tech sector workers now use a virtual private network (VPN) on either work devices, personal ones or both. While much of that usage will be because it's installed as standard on work devices, a growing number of people are choosing to use a VPN on their own devices in response to past and proposed legislative changes. The Wombat Security survey found that 41% of those surveyed use a VPN on their personal laptop, with 31% doing so on mobile devices.
Facebook

Facebook Offers Hundreds of Millions of Dollars for Music Rights (bloomberg.com) 84

Facebook is offering major record labels and music publishers hundreds of millions of dollars so the users of its social network can legally include songs in videos they upload, Bloomberg reported on Tuesday. From the report: The posting and viewing of video on Facebook has exploded in recent years, and many of the videos feature music to which Facebook doesn't have the rights. Under current law, rights holders must ask Facebook to take down videos with infringing material. Music owners have been negotiating with Facebook for months in search of a solution, and Facebook has promised to build a system to identify and tag music that infringes copyrights. Yet such a setup will take as long as two years to complete, which is too long for both sides to wait, said the people, who asked not to be named discussing details that aren't public. Facebook is eager to make a deal now so that it no longer frustrates users, by taking down their videos; partners, by hosting infringing material; or advertisers, with the prospect of legal headaches. The latest discussions will ensure Facebook members can upload video with songs just as it's rolling out Watch, a new hub for video, and funding the production of original series. Facebook is attempting to attract billions of dollars in additional advertising revenue and challenge YouTube as the largest site for advertising-supported video on the web.
AT&T

AT&T Uverse Modems Found To Have Several Serious Security Vulnerabilities (threatpost.com) 75

dustman81 writes: AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password exposed to the internet via SSH, a HTTP server with little authentication which allows command injection, and an internet exposed service which exposes internal clients to external attacks. Information security consulting and software development firm Nomotion reports the findings in their blog: "It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshell' client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic. Although no clear evidence was found suggesting that this module is actually being used currently, it is present, and vulnerable. Aside from the most dangerous items listed above, the cshell application is also capable of many other privileged actions. The username for this access is remotessh and the password is 5SaP9I26." The report continues to detail the other vulnerabilities: Default credentials 'caserver' https server NVG599; Command injection 'caserver' https server NVG599; Information disclosure/hardcoded credentials; and Firewall bypass no authentication.

Further reading: FierceTelecom; The Register

Slashdot Top Deals