Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Advertising

New Stegano Exploit Kit Hides Malvertising Code In Banner Pixels (bleepingcomputer.com) 85

An anonymous reader quotes a report from BleepingComputer: For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites. Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files. In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads. The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites. Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character. Since images have millions of pixels, crooks had all the space they needed to pack malicious code inside a PNG photo. When extracted, this malicious code would redirect the user to an intermediary ULR, called gate, where the host server would filter users. This server would only accept connections from Internet Explorer users. The reason is that the gate would exploit the CVE-2016-0162 vulnerability that allowed the crooks to determine if the connection came from a real user or a reverse analysis system employed by security researchers. Additionally, this IE exploit also allowed the gate server to detect the presence of antivirus software. In this case, the server would drop the connection just to avoid exposing its infrastructure and trigger a warning that would alert both the user and the security firm. If the gate server deemed the target valuable, then it would redirect the user to the final stage, which was the exploit kit itself, hosted on another URL. The Stegano exploit kit would use three Adobe Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack the user's PC, and forcibly download and launch into execution various strains of malware.
Businesses

T-Mobile CFO: Less Regulation, Repeal of Net Neutrality By Trump Would Be 'Positive For My Industry' (tmonews.com) 126

An anonymous reader quotes a report from TmoNews: T-Mobile CFO Braxton Carter spoke at the UBS Global Media and Communications Conference in New York City, and he touched a bit on President-elect Donald Trump and what his election could mean for the mobile industry. Carter expects that a Trump presidency will foster an environment that'll be more positive for wireless. "It's hard to imagine, with the way the election turned out, that we're not going to have an environment, from several aspects, that is not going to be more positive for my industry," the CFO said. He went on to explain that there will likely be less regulation, something that he feels "destroys innovation and value creation." Speaking of innovation, Carter also feels that a reversal of net neutrality and the FCC's Open Internet rules would be good for innovation in the industry, saying that it "would provide opportunity for significant innovation and differentiation" and that it'd enable you to "do some very interesting things."
Patents

Supreme Court Rules For Samsung in Smartphone Fight With Apple (reuters.com) 96

The Supreme Court on Tuesday sided with Samsung in its high-profile patent dispute with Apple over design of the iPhone. The justices said Samsung may not be required to pay all the profits it earned from 11 phone models because the features at issue are only a tiny part of the devices. From a report on Reuters: The justices in their 8-0 ruling sent the case back to the lower court for further proceedings. The decision gives Samsung another chance to try to get back a big chunk of the money it paid Apple in December following a 2012 jury verdict that it infringed Apple's iPhone patents and mimicked its distinctive appearance in making the Galaxy and other competing devices. The court held that a patent violator does not always have to fork over its entire profits from the sales of products using stolen designs, if the designs covered only certain components and not the whole thing.
Patents

Supreme Court Considers When US Patent Violations Are 'Induced' Abroad (arstechnica.com) 28

The US Supreme Court today will take up a case that will determine how much help an overseas manufacturer can get from the U.S. without running afoul of US patent laws. From a report on ArsTechnica: The case originates in a dispute between two competitors in the field of genetic testing. Both Promega Corporation and Life Technologies (selling through its Applied Biosciences brand) make DNA testing kits that can be used in a variety of fields, including forensic identification, paternity testing, medical treatment, and research. Promega licensed several patents to Applied Biosystems that allowed its competitor to sell kits for use in "Forensics and Human Identity Applications." The license forbade sales for clinical or research uses. In 2010, Promega filed a lawsuit in federal court, saying that Life Technologies had "engaged in a concerted effort to sell its kits into unlicensed fields," thus infringing its patents. A Wisconsin federal jury found that Life Tech had willfully infringed and should pay $52 million in damages. But the district judge overseeing the case set aside that verdict after trial, ruling that since nearly all of the Life Tech product had been assembled and shipped from outside the US, the product wasn't subject to US patent laws.
Education

White House Silence Seems To Confirm $4 Billion 'Computer Science For All' K-12 Initiative Is No More 261

theodp writes: "2016 as a year of action builds on a decade of national, state, and grassroots activity to revitalize K-12 computer science education," reads the upbeat White House blog post kicking off Computer Science Education Week. But conspicuous by its absence in the accompanying fact sheet for A Year of Action Supporting Computer Science for All is any mention of the status of President Obama's proposed $4 billion Computer Science For All initiative, which enjoyed support from the likes of Microsoft, Facebook, and Google. On Friday, tech-backed Code.org posted An Update on Computer Science Education and Federal Funding, which explained that Congress's passage of a 'continuing resolution' extending the current budget into 2017 spelled curtains for federal funding for the program in 2016 and beyond. "We don't have any direct feedback yet about the next administration's support for K-12 CS," wrote CEO Hadi Partovi and Govt. Affairs VP Cameron Wilson, "other than a promise to expand 'vocational and technical education' as part of Trump's 100-day plan which was published in late October. I am hopeful that this language may translate into support for funding K-12 computer science at a federal level. However, we should assume that it will not."
Government

California State Senator Introduces Bill That Would Mandate Reporting of 'Superbug' Infections, Deaths (reuters.com) 72

An anonymous reader quotes a report from Reuters: A California state senator introduced a bill on Monday that would mandate reporting of antibiotic-resistant infections and deaths and require doctors to record the infections on death certificates when they are a cause of death. The legislation also aims to establish the nation's most comprehensive statewide surveillance system to track infections and deaths from drug-resistant pathogens. Data from death certificates would be used to help compile an annual state report on superbug infections and related deaths. In September, a Reuters investigation revealed that tens of thousands of superbug deaths nationwide go uncounted every year. The infections are often omitted from death certificates, and even when they are recorded, they aren't counted because of the lack of a unified national surveillance system. Because there is no federal surveillance system, monitoring of superbug infections and deaths falls to the states. A Reuters survey of all 50 state health departments and the District of Columbia found that reporting requirements vary widely. Hill's bill would require hospitals and clinical labs to submit an annual summary of antibiotic-resistant infections to the California Department of Health beginning July 1, 2018; amend a law governing death certificates by requiring that doctors specify on death certificates when a superbug was the leading or a contributing cause of death; and require the state Health Department to publish an annual report on resistant infections and deaths, including data culled from death certificates.
Google

Google Preparing 'Invisible ReCAPTCHA' System For No User Interaction (bleepingcomputer.com) 54

An anonymous reader quotes a report from BleepingComputer: Google engineers are working on an improved version of the reCAPTCHA system that uses a computer algorithm to distinguish between automated bots and real humans, and requires no user interaction at all. Called "Invisible reCAPTCHA," and spotted by Windows IT Pro, the service is still under development, but the service is open for sign-ups, and any webmaster can help Google test its upcoming technology. Invisible reCAPTCHA comes two years after Google has revolutionized CAPTCHA technologies by releasing the No CAPTCHA reCAPTCHA service that requires users to click on one checkbox instead of solving complex visual puzzles made up of words and numbers. The service helped reduce the time needed to fill in forms, and maintained the same high-level of spam detection we've become accustomed from the reCAPTCHA service. The introduction of the new Invisible reCAPTCHA technology is unlikely to make the situation better for Tor users since CloudFlare will likely force them to solve the same puzzle if they come from IPs seen in the past performing suspicious actions. Nevertheless, CloudFlare started working on an alternative.
Network

Millions In US Still Living Life In Internet Slow Lane (arstechnica.com) 201

An anonymous reader quotes a report from Ars Technica: Millions of Americans still have extremely slow Internet speeds, a new Federal Communications Commission report shows. While the FCC defines broadband as download speeds of 25Mbps, about 47.5 million home or business Internet connections provided speeds below that threshold. Out of 102.2 million residential and business Internet connections, 22.4 million offered download speeds less than 10Mbps, with 5.8 million of those offering less than 3Mbps. About 25.1 million connections offered at least 10Mbps but less than 25Mbps. 54.7 million households had speeds of at least 25Mbps, with 15.4 million of those at 100Mbps or higher. These are the advertised speeds, not the actual speeds consumers receive. Some customers will end up with slower speeds than what they pay for. Upload speeds are poor for many Americans as well. While the FCC uses 3Mbps as the upload broadband standard, 16 million households had packages with upload speeds less than 1Mbps. Another 27.2 million connections were between 1Mbps and 3Mbps, 30.1 million connections were between 3Mbps and 6Mbps, while 29 million were at least 6Mbps. The Internet Access Services report released last week contains data as of December 31, 2015. The 11-month gap is typical for these reports, which are based on information collected from Internet service providers. The latest data is nearly a year old, so things might look a bit better now, just as the December 2015 numbers are a little better than previous ones.
Google

New Google Trusted Contacts Service Shares User Location In Real Time (onthewire.io) 88

Reader Trailrunner7 writes: Google has spent a lot of time and money on security over the last few years, developing new technologies and systems to protect users' devices. One of the newer technologies the company has come up with is designed to provide security for users themselves rather than their laptops or phones.

On Monday Google launched a new app for Android called Trusted Contacts that allows users to share their locations and some limited other information with a set of close friends and family members. The system is a two-way road, so a user can actively share her location with her Trusted Contacts, and stop sharing it at her discretion. But, when a problem or potential emergency comes up, one of those contacts can request to get that user's location to see where she is at any moment. The app is designed to give users a way to reassure contacts that they're safe, or request help if there's something wrong.

The Courts

Embedding Isn't Copyright Infringement, Says Italian Court (arstechnica.co.uk) 25

The appeal court of Rome has overturned one of the 152 website blocks another court imposed last month, and ruled that embedding does not constitute a copyright infringement. From an ArsTechnica report: The order against the Italian site Kisstube is annulled, but the other websites remain blocked. Kisstube is a YouTube channel, which also exists as a standalone website that does not host any content itself, linking instead to YouTube. Both the channel and website arrange content by categories for the convenience of users. The Italian court's decision was informed by an important ruling by the Court of Justice of the European Union (CJEU). In the BestWater case, the CJEU held that embedding or framing a video or image from another website is not copyright infringement if the latter is already accessible to the general public. However, another CJEU judgment ruled that posting hyperlinks to pirated copies of material is only legal provided it is done without knowledge that they are unauthorised versions, and it is not carried out for financial gain.
EU

EU Threatens Twitter And Facebook With Possible 'Hate Speech' Laws (gizmodo.com) 357

An anonymous reader quotes Gizmodo: On Sunday, the European Commission warned Facebook, Twitter, Google, YouTube and Microsoft that if the companies do not address their hate speech problems, the EU will enact legislation that will force them to do so. In May, those five companies voluntarily signed a code of conduct to fight illegal hate speech on their platforms within 24 hours... But on Sunday, the European Commission revealed that the companies were not complying with this code in a satisfactory manner.

"In practice the companies take longer and do not yet achieve this goal. They only reviewed 40 percent of the recorded cases in less than 24 hours," a Commission official told Reuters. The Commission's report found that YouTube responded to reports of harassment the fastest, and unsurprisingly, Twitter found itself in last place. "If Facebook, YouTube, Twitter and Microsoft want to convince me and the ministers that the non-legislative approach can work, they will have to act quickly and make a strong effort in the coming months," Jourova told the Financial Times on Sunday.

Crime

BMW Traps A Car Thief By Remotely Locking His Doors (cnet.com) 362

An anonymous reader quotes CNET: Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal... Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (November 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," wrote Jonah Spangenthal-Lee [deputy director of communications for the Seattle Police Department].

The suspect found a key fob mistakenly left inside the BMW by a friend who'd borrowed the car from the owner and the alleged crime was on. But technology triumphed. When the owner, who'd just gotten married a day earlier, discovered the theft, the police contacted BMW corporate, who tracked the car to Seattle's Ravenna neighborhood.

The 38-year-old inside was then booked for both auto theft and possession of methamphetamine.
Microsoft

Does Windows 10's Data Collection Trade Privacy For Microsoft's Security? (pcworld.com) 178

jader3rd shares an article from PC World arguing that Windows 10's data collection "trades your privacy for Microsoft's security." [Anonymized] usage data lets Microsoft beef up threat protection, says Rob Lefferts, Microsoft's director of program management for Windows Enterprise and Security. The information collected is used to improve various components in Windows Defender... For example, Windows Defender Application Guard for Microsoft Edge will put the Edge browser into a lightweight virtual machine to make it harder to break out of the browser and attack the operating system. With telemetry, Microsoft can see when infections get past Application Guard defenses and improve the security controls to reduce recurrences.

Microsoft also pulls signals from other areas of the Windows ecosystem, such as Active Directory, with information from the Windows 10 device to look for patterns that can indicate a problem like ransomware infections and other attacks. To detect those patterns, Microsoft needs access to technical data, such as what processes are consuming system resources, hardware diagnostics, and file-level information like which applications had which files open, Lefferts says. Taken together, the hardware information, application details, and device driver data can be used to identify parts of the operating system are exposed and should be isolated into virtual containers.

The article points out that unlike home users, enterprise users of Windows 10 can select a lower level of data-sharing, but argues that enterprises "need to think twice before turning off Windows telemetry to increase corporate privacy" because Windows Update won't work without information about whether previous updates succeeded or failed.
Security

70 Laptops Got Left Behind At An Airport Security Checkpoint In One Month (bravotv.com) 167

America's Transportation Security Administration has been making some surprising announcements on social media. An anonymous reader writes: A TSA spokesperson says 70 laptops were left behind in just one month at an airport security checkpoint in Newark. "And yes, there are plenty of shiny MacBooks in that pile," reported BravoTV, "which can cost in the $2,000 range new." The TSA shared an image of the 70 laptops on their Instagram page and on Twitter, prompting at least one mobile project designer to reclaim his laptop. "The most common way laptops are forgotten is when traveler's stack a bin on top of the bin their laptop is in," the TSA warns. "Out of sight out of mind."
The TSA is also sharing pictures on social media of the 70 guns they confiscated at security checkpoints in one week in November, reporting they've also confiscated a blowtorch, batarangs, and a replica of that baseball bat from "The Walking Dead". They're reporting they found 33 loaded firearms in carry-on luggage in one week, and remind readers that gun-carrying passengers "can face a penalty as high as $11,000. This is a friendly reminder to please leave these items at home."
Microsoft

How Microsoft Lost In Court Over Windows 10 Upgrades (digitaltrends.com) 121

In June a California woman successfully sued Microsoft for $10,000 over forced Windows 10 upgrades, and she's now written a 58-page ebook about her battle (which she's selling for $9.99). But an anonymous Slashdot reader shares another inspiring story about a Texas IT worker and Linux geek who got Microsoft to pay him $650 for all the time that he lost. "Worley built a Windows 7 machine for his grandfather, who has Alzheimer's Disease, [customized] to look like Windows XP, an operating system his grandfather still remembered well..." writes Digital Trends. "But thanks to Microsoft's persistent Windows 10 upgrade program, Worley's grandfather unknowingly initiated the Win 10 upgrade by clicking the 'X' to close an upgrade window." After Worley filed a legal "Notice of Dispute," Microsoft quickly agreed to his demand for $650, which he donated to a non-profit focusing on Alzheimer's patients.

But according to the article, that's just the beginning, since Worley now "hopes people impacted by the forced Windows 10 upgrade will write a complaint to Microsoft demanding a settlement for their wasted time and money in repairing the device," and on his web page suggests that if people don't need the money, they should give it to charities fighting Alzheimer's. "If Microsoft isn't going to wake up and realize that lobbing intentionally-tricky updates at people who don't need and can't use them actively damages not only the lives of the Alzheimer's sufferer, but those of their whole family, then let's cure the disease on Microsoft's dime so their tactics and those of companies that will follow their reckless example aren't as damaging."

Worley suggests each Notice of Dispute should demand at least $50 per hour from Microsoft, adding "If recent history holds steady they might just write you a check!"
United States

Sysadmin Gets Two Years In Prison For Sabotaging ISP (bleepingcomputer.com) 131

After being let go over a series of "personal issues" with his employer, things got worse for 26-year-old network administrator Dariusz J. Prugar, who will now have to spend two years in prison for hacking the ISP where he'd worked. An anonymous reader writes: Prugar had used his old credentials to log into the ISP's network and "take back" some of the scripts and software he wrote... "Seeking to hide his tracks, Prugar used an automated script that deleted various logs," reports Bleeping Computer. "As a side effect of removing some of these files, the ISP's systems crashed, affecting over 500 businesses and over 5,000 residential customers."

When the former ISP couldn't fix the issue, they asked Prugar to help. "During negotiations, instead of requesting money as payment, Prugar insisted that he'd be paid using the rights to the software and scripts he wrote while at the company, software which was now malfunctioning, a week after he left." This tipped off the company, who detected foul play, contacted the FBI and rebuilt its entire network.

Six years later, Prugar was found guilty after a one-week jury trial, and was ordered by the judge to pay $26,000 in restitution to the ISP (which went out of business in October of 2015). Prugar's two-year prison sentence begins December 27.
Government

Virginia Police Spent $500K For An Ineffective Cellphone Surveillance System (muckrock.com) 36

Cell-site simulators can intercept phone calls and even provide locations (using GPS data). But Virginia's state police force just revealed details about their actual use of the device -- and it's not pretty. Long-time Slashdot reader v3rgEz writes: In 2014, the Virginia State Police spent $585,265 on a specially modified Suburban outfitted with the latest and greatest in cell phone surveillance: the DRT 1183C, affectionately known as the DRTbox. But according to logs uncovered by public records website MuckRock, the pricey ride was only used 12 times — and only worked seven of those times.
According to Virginia's ACLU director, "each of the 12 uses cost almost $50,000, and only 4 of them resulted in an arrest [raising] a significant question whether the more than half million dollars spent on the device and the vehicle...was a wise investment of public funds."
United Kingdom

For The UK's 'Snoopers' Charter', Politicians Voted Themselves An Exemption (independent.co.uk) 134

The "Snoopers' Charter" passed in the U.K. greatly expands the government's surveillance power. But before they'd enact the new Investigatory Powers Act, Britain's elected officials first voted to make themselves exempt from it. Sort of. An anonymous reader writes: While their internet browsing history will still be swept up, just like everyone else's, no one will ever be able to access it without specific approval from the Prime Minister. And according to The Independent, "That rule applies not only to members of the Westminster parliament but also politicians in the devolved assembly and members of the European Parliament."
The article adds that the exemption was the very first amendment they approved for the legislation. And for a very long time, the only amendment.
United Kingdom

UK Health Secretary Urges Social Media Companies To Block Cyberbullying And Underaged Sexting (betanews.com) 71

Mark Wilson shares his article on Beta News: Health secretary Jeremy Hunt has made calls for technology companies and social media to do more to tackle the problems of cyberbullying, online intimidation and -- rather specifically -- under-18-year-olds texting sexually explicit images. Of course, he doesn't have the slightest idea about how to go about tackling these problems, but he has expressed his concern so that, in conjunction with passing this buck to tech companies, should be enough, right?
Hunt apparently believes there's already a technology which can identify sexually explicit photos, and that social media networks should now also develop algorithms to identify and block cyberbullying, an idea the Guardian called "sadly laughable."

"Is the blanket censorship of non-approved communications for all under 18s -- something that goes far further than even the Great Firewall of China -- really the kind of thing a government minister should be able to idly suggest in 2016?"
Security

Crooks Need Just Six Seconds To Guess A Credit Card Number (independent.co.uk) 108

schwit1 quotes The Independent: Criminals can work out the card number, expiration date, and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found... Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack...

According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.

One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."

Slashdot Top Deals