Businesses

Dodging Russian Spies, Customers Are Ripping Out Kaspersky (thedailybeast.com) 274

From a report: Multiple U.S. security consultants and other industry sources tell The Daily Beast customers are dropping their use of Kaspersky software all together, particularly in the financial sector, likely concerned that Russian spies can rummage through their files. Some security companies are being told to only provide U.S. products. And former Kaspersky employees describe the firm as reeling, with department closures and anticipation that researchers will jump ship soon. "We are under great pressure to only use American products no matter the technical or performance consequences," said a source in a cybersecurity firm which uses Kaspersky's anti-virus engine in its own services. The Daily Beast granted anonymity to some of the industry sources to discuss internal deliberations, as well as the former Kaspersky employees to talk candidly about recent events.
Businesses

Amazon's Next Big Bet is Letting You Communicate Without a Smartphone, Says Alexa's Chief Scientist (cnbc.com) 143

An anonymous reader shares a report: The next big function to take off on Amazon's Echo devices will be voice or video calling -- which is a way Alexa can reduce the need to have your smartphone on your at all times, said Rohit Prasad, VP and Head Scientist at Alexa Machine Learning. "If you have not played with calling and the video calls on Echo Show, you should try it because that is revolutionizing how you can communicate," Prasad said in an exclusive interview with CNBC at an Alexa Accelerator event in Seattle Tuesday night. (The event is dedicating to developing new voice-powered technologies.) "When you can drop in on people who have given you access -- so I can drop in and call my mom in her kitchen without her picking any device -- it's just awesome." (Amazon added the ability to call mobile numbers and landlines for free onto Echo devices a few weeks ago.) Amazon doesn't have a smartphone that lets customers bring a digital assistant everywhere -- like Apple's Siri and Google's Assistant -- and communicating through Alexa devices is one way of reducing the need for a personal handset, Prasad said "I can easily drop in and talk to my kids," Prasad says. "They don't have a smartphone so that's my easiest way to talk to them. It's yet another area where Alexa is taking the friction away."
Twitter

Twitter Suspends 300,000 Accounts Tied To Terrorism In 2017 (bloomberg.com) 69

According to a new transparency report, Twitter said it suspended nearly 300,000 accounts globally linked to terrorism in the first half of the year. The company is improving automation tools used to help block accounts that promote terrorism and violence. Bloomberg reports: Of [the nearly 300,000 accounts that were suspended], roughly 95 percent were identified by the company's spam-fighting automation tools. Meanwhile, the social network said government data requests continued to increase, and that it provided authorities with data on roughly 3,900 accounts from January to June. Twitter said about 75 percent of the blocked accounts this year were spotted before a single tweet was sent, and that 935,897 accounts had been suspended since August 2015, with two-thirds of those coming in the past year. American authorities made 2,111 requests from Twitter from January to June, the most of the 83 countries tracked by the company. Twitter supplied information on users in 77 percent of the inquiries. Japan made 1,384 requests and the U.K. issued 606 requests. Turkish authorities continued a trend of aggressively policing Twitter, making 554 requests for account data and issuing court orders to remove 715 pieces of content. Other governments made only 38 total content-removal requests.
Iphone

How One Writer Is Battling Tech-Induced Attention Disorder (wired.com) 195

New submitter mirandakatz writes: Katie Hafner has spent the last 23 days in rehab. Not for alcoholism or gambling, but for a self-inflicted case of episodic partial attention thanks to her iPhone. On Backchannel, Hafner writes about the detrimental effect the constant stream of pings has had on her, and how her life has come to resemble a computer screen. "I sense a constant agitation when I'm doing something," she says, "as if there is something else out there, beckoning -- demanding -- my attention. And nothing needs to be deferred." "I blame electronics for my affliction," writes Hafner, who says the devices in her life "teem with squirrels." "If I pick up my iPhone to send a text, damned if I don't get knocked off task within a couple of seconds by an alert about Trump's latest tweet. And my guess is that if you have allowed your mind to be as tyrannized by the demands of your devices as I have, you too suffer to some degree from this condition."

Hafner goes on to describe her symptoms of "episodic partial attention" and provide potential fixes for it: "There are the obvious fixes. Address the electronics first: Silence the phone as well as all alerts on your computer, and you automatically banish two squirrels. But how do you shut down the micro-distractions that dangle everywhere in your physical world, their bushy gray tails twitching seductively? My therapy, of my own devising, consists of serial mono-tasking with a big dose of mindful intent, or intentional mindfulness -- which is really just good, old-fashioned paying attention. At first, I took the tiniest of steps. I celebrated the buttoning of a blouse without stopping to apply the hand cream I spotted on the dresser as if I had gotten into Harvard. Each task I took on -- however mundane -- I had to first announce, quietly, to myself. I made myself vow that I would work on that task and only that task until it was finished. Like a stroke patient relearning how to move an arm, I told myself not that I was making the entire bed (too overwhelming), but that I had a series of steps to perform: first the top sheet, then the blankets, then the comforter, then the pillows. Emptying the dishwasher became my Waterloo. Putting dishes away takes time, and it's tedious. Perhaps the greatest challenge lies in the fact that the job requires repeated kitchen crossings. There are squirrels everywhere, none more treacherous than the siren song that is my iPhone."
Botnet

Massive New Spambot Ensnares 711,000,000 Email Addresses (zdnet.com) 31

An anonymous reader quotes ZDNet: A huge spambot ensnaring 711 million email accounts has been uncovered. A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands, which stores dozens of text files containing a huge batch of email addresses, passwords, and email servers used to send spam. Those credentials are crucial for the spammer's large-scale malware operation to bypass spam filters by sending email through legitimate email servers.

The spambot, dubbed "Onliner," is used to deliver the Ursnif banking malware into inboxes all over the world. To date, it's resulted in more than 100,000 unique infections across the world, Benkow told ZDNet. Troy Hunt, who runs breach notification site Have I Been Pwned, said it was a "mind-boggling amount of data." Hunt, who analyzed the data and details his findings in a blog post, called it the "largest" batch of data to enter the breach notification site in its history... Those credentials, he explained, have been scraped and collated from other data breaches, such as the LinkedIn hack and the Badoo hack, as well also other unknown sources.

The data includes information on 80 million email servers, and it's all used to identify which recipients have Windows computers, so they can be targeted in follow-up emails delivering Windows-specific malware.
Facebook

Fake Messages Rigged With Malware Are Spreading Via Facebook Messenger (bleepingcomputer.com) 44

According to recent warnings issued by Avira, CSIS Security Group, and Kaspersky Lab, a virulent spam campaign has hit Facebook Messenger during the past few days. "The Facebook spam messages contain a link to what appears to be a video," reports Bleeping Computer. "The messages arrive from one of the user's friends, suggesting that person's account was also compromised." From the report: The format of the spam message is the user's first name, the word video, and a bit.ly or t.cn short-link. Users that click on the links are redirected to different pages based on their geographical location and the type of browser and operating system they use. It's been reported that Firefox users on Windows and Mac are being redirected to a page offering a fake Flash Player installer. Kaspersky says this file installs adware on users' PCs. On Chrome, the spam campaign redirects users to a fake YouTube page pushing a malicious extension. It is believed that crooks use this Chrome extension to push adware and collect credentials for new Facebook accounts, which they later use to push the spam messages to new users.
IT

Developer Accidentally Deletes Three-Month of Work With Visual Studio Code (bingj.com) 765

New submitter joshtops writes: A developer accidentally three-month of his work. In a post, he described his experience, "I had just downloaded VScode as an alternative and I was just playing with the source control option, seeing how it wanted to stage -- five thousand files -- I clicked discard... AND IT DELETED ALL MY FILES, ALL OF THEM, PERMANENTLY! How the f*uk is this s*it possible, who the hell is the d******* who made the option to permanently delete all the files on a project by accident even possible? Cannot even find them in the Recycle Bin!!!! I didn't even thought that was possible on Windows!!! F*ck this f*cking editor and f*ck whoever implemented this option. I wish you the worst.'
Software

Are App Sizes Out of Control? 386

In a blog post, Trevor Elkins points out the large sizes of common apps like LinkedIn and Facebook. "I went to update all my apps the other day when something caught my eye... since when does LinkedIn take up 275MB of space?!" Elkins wrote. "In fact, the six apps in this picture average roughly 230MB in size, 1387MB in total. That would take an 8Mbit internet connection 24 minutes to download, and I'd still be left with 27 additional apps to update! More and more companies are adopting shorter release cycles (two weeks or so) and it's becoming unsustainable as a consumer to update frequently."

Should Apple do something to solve this "systematic" problem? Elkins writes, "how does an app that occasionally sends me a connection request and recruiter spam take up 275MB?"

Further discussion via Hacker News.
The Internet

O'Reilly Media Asks: Is It Time To Build A New Internet? (oreilly.com) 305

An anonymous reader shares an article from O'Reilly Media's VP of content strategy: It's high time to build the internet that we wanted all along: a network designed to respect privacy, a network designed to be secure, and a network designed to impose reasonable controls on behavior. And a network with few barriers to entry -- in particular, the certainty of ISP extortion as new services pay to get into the "fast lane." Is it time to start over from scratch, with new protocols that were designed with security, privacy, and maybe even accountability in mind? Is it time to pull the plug on the abusive old internet, with its entrenched monopolistic carriers, its pervasive advertising, and its spam? Could we start over again?

That would be painful, but not impossible... In his deliciously weird novel Someone Comes To Town, Someone Leaves Town, Cory Doctorow writes about an alternative network built from open WiFi access points. It sounds similar to Google's Project Fi, but built and maintained by a hacker underground. Could Doctorow's vision be our future backboneless backbone? A network of completely distributed municipal networks, with long haul segments over some public network, but with low-level protocols designed for security? We'd have to invent some new technology to build that new network, but that's already started.

The article cites the increasing popularity of peer-to-peer functionality everywhere from Bitcoin and Blockchain to the Beaker browser, the Federated Wiki, and even proposals for new file-sharing protocols like IPFS and Upspin. "Can we build a network that can't be monopolized by monopolists? Yes, we can..."

"It's time to build the network we want, and not just curse the network we have."
Social Networks

Nearly 90,000 Sex Bots Invaded Twitter in 'One of the Largest Malicious Campaigns Ever Recorded on a Social Network' (gizmodo.com) 53

An anonymous reader shares a report: Last week, Twitter's security team purged nearly 90,000 fake accounts after outside researchers discovered a massive botnet peddling links to fake "dating" and "romance" services. The accounts had already generated more than 8.5 million posts aimed at driving users to a variety of subscription-based scam websites with promises of -- you guessed it -- hot internet sex. The accounts were first identified by ZeroFOX, a Baltimore-based security firm that specializes in social-media threat detection. The researchers dubbed the botnet "SIREN" after sea-nymphs described in Greek mythology as half-bird half-woman creatures whose sweet songs often lured horny, drunken sailors to their rocky deaths. ZeroFOX's research into SIREN offers a rare glimpse into how efficient scammers have become at bypassing Twitter's anti-spam techniques. Further, it demonstrates how effective these types of botnets can be: The since-deleted accounts collectively generated upwards of 30 million clicks -- easily trackable since the links all used Google's URL shortening service.
The Courts

Warner Bros., Tolkien Estate Settle $80 Million 'Hobbit' Lawsuit (hollywoodreporter.com) 71

Five years later and it appears Warner Bros. and the estate of author J.R.R. Tolkien have settled their lawsuit over the digital exploitation of The Hobbit and The Lord of the Rings. "The Tolkien Estate and book publisher HarperCollins filed a $80 million lawsuit in 2012 alleging that Warners, its New Line subsidiary and Rings/Hobbit rightsholder Saul Zaentz Co. infringed copyright and breached contract by overstepping their authority," reports Hollywood Reporter. "The plaintiffs claimed that a decades-old rights agreement entitled the studio to create only 'tangible' merchandise based on the books, not other digital exploitations that the estate called highly offensive." From the report: The lawsuit brought the two sides into a new battle. Previously, New Line and the Tolkien Estate had fought over profit participation, coming to a deal in 2009 pegged as being worth more than $100 million. As Warner Bros. readied a Peter Jackson big-screen adaptation of The Hobbit, the Tolkien Estate began investigating digital exploitations when its attorney received a spam e-mail about the Lord of the Rings: The Fellowship of the Ring: Online Slot Game. The subsequent complaint filed in court talked about irreparable harm to Tolkien's legacy and reputation from the prospect of everything from online games to housing developments. In reaction, Warner Bros. filed counterclaims, alleging that repudiation of a 1969 contract and 2010 regrant caused the studio to miss out on millions in Hobbit licensing and decreased exposure to the Jackson films. Warners contended that digital exploitations was both customary and within its scope of rights. Those counterclaims became the subject of a side fight over whether Warners could sue for being sued. The 9th Circuit Court of Appeals agreed that Warner Bros. had properly asserted contract claims.
Firefox

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 80

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
Businesses

How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com) 179

Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive: The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...

Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.

The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Security

New Malware Downloader Can Infect PCs Without A Mouse Click (engadget.com) 151

An anonymous reader quotes Engadget: You think you're safe from malware since you never click suspicious-looking links, then somebody finds a way to infect your PC anyway. Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer even if you don't click anything. All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file. According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation. The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script.
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
Security

Chinese 'Fireball' Malware Infects Nearly 250 Million Computers Worldwide (thehackernews.com) 66

Check Point researchers have discovered a massive malware campaign, dubbed Fireball, that has already infected more than 250 million computers across the world, including Windows and Mac OS. The Fireball malware "is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data," reports The Hacker News. From the report: Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers. While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide. Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim's web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com). "It's important to remember that when a user installs freeware, additional malware isn't necessarily dropped at the same time," researchers said. "Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors."
Communications

FCC Suspends Net Neutrality Comments, As Chairman Pai Mocks 'Mean Tweets' (gizmodo.com) 184

An anonymous reader writes:Thursday the FCC stopped accepting comments as part of long-standing rules "to provide FCC decision-makers with a period of repose during which they can reflect on the upcoming items" before their May 18th meeting. Techdirt wondered if this time to reflect would mean less lobbying from FCC Chairman Ajit Pai, but on Friday Pai recorded a Jimmy Kimmel-style video mocking mean tweets, with responses Gizmodo called "appalling" and implying "that anyone who opposes his cash grab for corporations is a moron."

Meanwhile, Wednesday The Consumerist reported the FCC's sole Democrat "is deploying some scorched-earth Microsoft Word table-making to use FCC Chair Ajit Pai's own words against him." (In 2014 Pai wrote "A dispute this fundamental is not for us five, unelected individuals to decide... We should also engage computer scientists, technologists, and other technical experts to tell us how they see the Internet's infrastructure and consumers' online experience evolving.") But Pai seemed to be mostly sticking to friendlier audiences, appearing with conservative podcasters from the Taxpayer Protection Alliance, the AEI think tank and The Daily Beast.

The Verge reports the flood of fake comments opposing Net Neutrality may have used names and addresses from a breach of 1.4 billion personal information records from marketing company River City Media. Reached on Facebook Messenger, one woman whose named was used "said she hadn't submitted any comments, didn't live at that address anymore and didn't even know what net neutrality is, let alone oppose it."

Techdirt adds "If you do still feel the need to comment, the EFF is doing what the FCC itself should do and has set up its own page at DearFCC.org to hold any comments."
Spam

Nuisance Call Firm Keurboom Hit With Record Fine (bbc.com) 81

An anonymous reader writes: A cold-calling firm has been fined a record $515,000 by the Information Commissioner's Office (ICO) for making almost 100 million nuisance calls. Keurboom Communications called people, sometimes at night, to see if they were eligible for road-accident or PPI compensation, the ICO said. It breached privacy laws by calling people without their consent. The company has since gone into liquidation but the ICO said it was committed to recovering the fine. It said it had received more than 1,000 complaints about automated calls from the Bedfordshire-registered company. The ICO said Keurboom Communications called some people repeatedly and during unsocial hours. It also hid its identity so that people would find it harder to complain. "The unprecedented scale of its campaign and Keurboom's failure to co-operate with our investigation has resulted in the largest fine issued by the Information Commissioner for nuisance calls," said Steve Eckersley, head of enforcement at the ICO.
Advertising

39 Years Ago The World's First Spam Was Sent (mercurynews.com) 60

An anonymous reader write: Wednesday was the 39th anniversary of the world's first spam, sent by Gary Thuerk, a marketer for Massachusetts' Digital Equipment Corporation in 1978 to over 300 users on Arpanet. It was written in all capital letters, and its body began with 273 more email addresses that wouldn't fit in the header. The DEC marketer "was reportedly trying to flag the attention of the burgeoning California tech community," reports the San Jose Mercury News. The message touted two demonstrations of the DECSYSTEM-20, a PDP-10 mainframe computer.

An official at the Defense Communication Agency immediately called it "a flagrant violation of the use of Arpanet as the network is to be used for official U.S. government business only," adding "Appropriate action is being taken to preclude its occurence again." But at the time a 24-year-old Richard Stallman -- then a graduate student at MIT -- claimed he wouldn't have reminded receiving the message...until someone forwarded him a copy. Stallman then responded "I eat my words... Nobody should be allowed to send a message with a header that long, no matter what it is about."
The article reports that today the spam industry earns about $200 million each year, while $20 billion is spent trying to block spam. And the New York Times even has a quote from the DEC employee who sent that first spam. "People either say, 'Wow! You sent the first spam!' or they act like I gave them cooties."
Security

Security Researcher and Alleged Spam Operator To Square Off In Court In Ugly Lawsuit (bleepingcomputer.com) 56

An anonymous reader writes: River City Media, the company accused of running a huge spam operation, has filed a lawsuit against the security researcher and the journalist who exposed their activities. In a ludicrous lawsuit complaint, the company claims the security researcher didn't just stumble upon its unprotected Rsync server, but "perpetrated a coordinated, months-long cyberattack," during which it skirted firewall rules to access its server, used a VPN to disguise his identity, deleted critical files, and published his findings to make a name for himself as an elite security researcher. The company claims the researcher accessed Dropbox and HipChat logs, and even its PayPal account, from where it used funds to purchase various domains. The only evidence the company has is that the person who purchased the domains used a ProtonMail email, just like the researcher, who also uses a ProtonMail email. Remind you, this is the same security researcher, Chris Vickery, who discovered a Reuters database of supposed terrorism suspects, national voter databases for various U.S. states and Mexico, and various other companies.
AI

Tiny Changes Can Cause An AI To Fail (bbc.com) 237

Luthair writes: According to the BBC there is growing concern in the machine learning community that as their algorithms are deployed in the real world they can be easily confused by knowledgeable attackers. These algorithms don't process information in the same way humans do, a small sticker placed strategically on a sign could render it invisible to a self driving car.
The article points out that a sticker on a stop sign "is enough for the car to 'see' the stop sign as something completely different from a stop sign," while researchers have created an online collection of images which currently fool AI systems. "In one project, published in October, researchers at Carnegie Mellon University built a pair of glasses that can subtly mislead a facial recognition system -- making the computer confuse actress Reese Witherspoon for Russell Crowe."

One computer academic says that unlike a spam-blocker, "if you're relying on the vision system in a self-driving car to know where to go and not crash into anything, then the stakes are much higher," adding ominously that "The only way to completely avoid this is to have a perfect model that is right all the time." Although on the plus side, "If you're some political dissident inside a repressive regime and you want to be able to conduct activities without being targeted, being able to avoid automated surveillance techniques based on machine learning would be a positive use."

Slashdot Top Deals