Is The FBI Snooping TOR?

The Federal Bureau of Investigation (FBI) has been accused of gathering data from the anonymous network known as TOR.

The FBI might be behind a security assault on the TOR network that grabs users’ information.

Security researcher Vlad Tsyrklevich said that the attack is a strange one and is most likely the work of the authorities.

“[It] doesn’t download a backdoor or execute any other commands, this is definitely law enforcement,” he said in a tweet about the discovery.

He went a bit further in a blog post, explaining that the Firefox vulnerability is being used to send data in one direction.

“Briefly, this payload connects to 65.222.202.54:80 and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash,” he added.

“Because this payload does not download or execute any secondary backdoor or commands it’s very likely that this is being operated by an LEA and not by blackhats.”

The bug is listed at Mozilla, and the firm has a blog post saying that it is looking into it.

Over the weekend a blog post appeared on the TOR website that sought to distant it from a number of closed down properties or hidden websites. It is thought that the shuttered websites, which were hosted by an outfit called Freedom Hosting, were home to the worst kind of abuses.

A report at the Irish Examiner said that a chap called Eric Eoin Marques is the subject of a US extradition request. He is accused of being in charge of Freedom Hosting.

“Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the TOR Network,” the TOR project said.

“There are a variety of [rumors] about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site,” it said.

“The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The TOR Project, Inc., the organization coordinating the development of the TOR software and research.”

Source

Yahoo Still Playing Pac-Man

Yahoo announced on Wednesday that it bought Qwiki for an undisclosed sum, as the firm’s spending spree continues.

Qwiki started out as a video focused search engine in 2011, before making its way into the iTunes Store as an app that turns images and videos into digital story boards.

Yahoo announced its acquisition of Qwiki on Wednesday, although it kept quiet about what it plans to do with the company and how much it spent. However, according to Allthingsd, Yahoo spent approximately $50m to further expand its digital offerings.

What’s more, while it’s unclear what Yahoo’s plans are at present, it’s likely that the firm is looking to challenge Vine and Instagram in the social video market.

Yahoo announced the news, naturally, on Tumblr. It said, “We’re excited to announce that Yahoo acquired Qwiki – a company that uses awesome technology to bring together pictures, music and video to capture the art of storytelling.

“We will continue to support the Qwiki app, and the team will join Yahoo in our New York city office to reimagine Yahoo’s storytelling experience. Stay tuned … there’s much more to come!”

Qwiki also had something to say, posting on its website, “Thank you for being a part of our story – one which is far from over. The Qwiki app will live on as a standalone entity inside Yahoo, where we will grow our thriving community and where our team will continue to work to help you share life’s best experiences.

“We are proud of the work we’ve done, and humbled by unwavering support from the NY tech community. New York is such a big part of who we are, and what we will become.”

Yahoo’s buyout of Qwiki is the latest in a series of acquisitions by the firm. Recently the firm announced that it bought Tumblr for a cool $1.1bn, with Yahoo CEO Marissa Mayer promising “not to screw it up”.

Source

Are CCTV Cameras Hackable?

When the nosy British bought CCTV cameras, worried citizens were told that they could not be hacked.

Now a US security expert says he has identified ways to remotely attack high-end surveillance cameras used by industrial plants, prisons, banks and the military. Craig Heffner, said he discovered the previously unreported bugs in digital video surveillance equipment from firms including Cisco, D-Link and TRENDnet.

They could use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems. Heffner said that it was a significant threat as somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.

He will show how to exploit these bugs at the Black Hat hacking conference, which starts on July 31 in Las Vegas. Heffner said he has discovered hundreds of thousands of surveillance cameras that can be accessed via the public internet.

Source

Twitter’s Authentication Has Vulnerabilities

Twitter’s SMS-based, two-factor authentication feature could be abused to lock users who have not enabled it for their accounts if attackers gain access to their log-in credentials, according to researchers from Finnish antivirus vendor F-Secure.

Twitter introduced two-factor authentication last week as an optional security feature in order to make it harder for attackers to hijack users’ accounts even if they manage to steal their usernames and passwords. If enabled, the feature introduces a second authentication factor in the form of secret codes sent via SMS.

According to Sean Sullivan, a security advisor at F-Secure, attackers could actually abuse this feature in order to prolong their unauthorized access to those accounts that don’t have two-factor authentication enabled. The researcher first described the issue Friday in a blog post.

An attacker who steals someone’s log-in credentials, via phishing or some other method, could associate a prepaid phone number with that person’s account and then turn on two-factor authentication, Sullivan said Monday. If that happens, the real owner won’t be able to recover the account by simply performing a password reset, and will have to contact Twitter support, he said.

This is possible because Twitter doesn’t use any additional method to verify that whoever has access to an account via Twitter’s website is also authorized to enable two-factor authentication.

When the two-factor authentication option called “Account Security” is first enabled on the account settings page, the site asks users if they successfully received a test message sent to their phone. Users can simply click “yes,” even if they didn’t receive the message, Sullivan said.

Instead, Twitter should send a confirmation link to the email address associated with the account for the account owner to click in order to confirm that two-factor authentication should be enabled, Sullivan said.

As it is, the researcher is concerned that this feature could be abused by determined attackers like the Syrian Electronic Army, a hacker group that recently hijacked the Twitter accounts of several news organizations, in order to prolong their unauthorized access to compromised accounts.

Some security researchers already expressed their belief that Twitter’s two-factor authentication feature in its current implementation is impractical for news organizations and companies with geographically dispersed social media teams, where different employees have access to the same Twitter account and cannot share a single phone number for authentication.

Twitter did not immediately respond to a request for comment regarding the issue described by Sullivan.

Source

Yahoo On A Buying Spree

Yahoo has purchased a mobile gaming company, Loki Studios, taking its total acquisitions this month to four.

The company said over the weekend it welcomed Loki, Astrid, GoPollGo and MileWise to its growing mobile team. “We recently added 22 entrepreneurs to our growing mobile team,” the company said in a Twitter message in a possible reference to some of the people from the four companies who have moved to Yahoo.

Loki’s flagship application is its location-aware game, Geomon. “We are thrilled to be joining the exceptional folks at Yahoo!. We believe fully in their commitment to creating outstanding mobile products,” the Loki team said on their website.

Earlier in the week, Yahoo also acquired GoPollGo, a social polling tool. The company’s founder and team said they were moving to Yahoo, and would no longer be supporting their offerings.

It is not clear whether Yahoo has bought all these companies for their products and technology or just to get their experienced staff in the area of mobile as it tries to build up its own mobile capabilities. The way the services are being shut down suggests that their user base did not particularly interest Yahoo. The company could not be immediately reached for comment.

Source

Is Twitter Home To Malware?

Security outfit Trusteer has recently identified an active configuration of TorRAT targeting Twitter users. The malware launches a Man-in-the-Browser (MitB) attack through the browser of infected PCs, gaining access to the victim’s Twitter account to create malicious tweets.

Dana Tamir, Enterprise Security Director for Trusteer the malware, which has been used as a financial malware to gain access to user credentials and target their financial transactions, now has a new goal: to spread malware using the online social networking service. At this time the attack is targeting the Dutch market. But since Twitter is used by millions of users around the world, this type of attack can be used to target any market and any industry.

The attack is carried out by injecting Javascript code into the victim’s Twitter account page. The malware collects the user’s authentication token, which enables it to make authorized calls to Twitter’s APIs, and then posts new, malicious tweets on behalf of the victim.

Tamir said that the attack is particularly difficult to defend against because it uses a new sophisticated approach to spear-phishing. Twitter users follow accounts that they trust. Because the malware creates malicious tweets and sends them through a compromised account of a trusted person or organization being followed, the tweets seem to be genuine. The fact that the tweets include shortened URLs is not concerning: Twitter limits the number of characters in a message, so followers expect to get interesting news bits in the form of a short text message followed by a shortened URL. However, a shortened URL can be used to disguises the underlying URL address, so that followers have no way of knowing if the link is suspicious.

Source

EPIC Wants Biometric Data From The FBI

The Electronic Privacy Information Center (EPIC) has pressed the US Federal Bureau of Investigation (FBI) for access to its database of US citizens’ biometric data.

EPIC already tried to get access twice last September, and now it is trying again. It said that it has sent repeated freedom of information act requests regarding the database, and that the FBI has failed to respond. Now it has filed a lawsuit for access (PDF).

It warned that the Next Generation Identification system (NGI) is a massive database that “when completed, [will] be the largest biometric database in the world”.

The NGI will use CCTV systems and facial recognition, and it includes DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other “identifying information”.

The FBI has an information page about the NGI, and there it said that photographs of tattoos are also included and that the system is designed to speed up suspect detection and response times.

“The NGI system will offer state-of-the-art biometric identification services and provide a flexible framework of core capabilities that will serve as a platform for multimodal functionality,” it said.

“The NGI Program Office mission is to reduce terrorist and criminal activities by improving and expanding biometric identification and criminal history information services through research, evaluation, and implementation of advanced technology”.

In its lawsuit EPIC said that the NGI database will be used for non law enforcement purposes and will be made available to “private entities”.

EPIC said that it has asked the FBI to provide information including “contracts with commercial entities and technical specifications”.

It said that so far it has received no information from the FBI in response to its requests.

Source

Blackberry Plans New Tablet

BlackBerry plans to roll out a larger tablet and two phone-tablet combos, or phablets, over the next year, according to a leaked road map presentation slide.

The three devices will run the BlackBerry 10 mobile operating system, which powers the Z10 smartphone and the upcoming Q10, which features a physical qwerty keyboard, according to the slide, which first appeared over the weekend on Twitter as @BB10Leaks.

BlackBerry officials didn’t comment on the road map. However, in comments to analysts last Thursday, CEO Thorstein Heins said repeatedly that the company will introduce more BlackBerry 10 devices this year, though he didn’t indicate what form factors the products would feature.

The three new devices shown in the slide include a BlackBerry 10 tablet with a widescreen aspect ratio, as well as a “U10″ phone-tablet, which some call a phablet, and an “R10″ phablet with a physical qwerty keyboard.

The slide indicates that the B10 tablet will ship in the third or fourth quarter, while the two phablets will be released later, with the U10 shipping at the end of the year and the R10 in spring of 2014.

There are no specifications on the slide, but the devices appear to be shown roughly in proportion to one another, with the phablets appearing to be wider than the existing Z10 and Q10 smartphones.

BlackBerry already has a 7-in. tablet called the PlayBook that is more square in shape than the widescreen look of the B10 in the slide. Some analysts and bloggers said it’s possible that BlackBerry is developing a competitor to the various 9-to-11-in. tablets already on the market, including many Android tablets, as well as the 9.7-in. iPad.

“BlackBerry wants to be a full-line competitor, particularly for business users, so they have to have a full line of products to compete head-on with Apple and Android, primarily Samsung,” said Jack Gold, an analyst at J.Gold Associates. “I would expect any viable competitor to establish a full line of products touching on all the various preferences of the marketplace, which includes smartphones, phablets and tablets.”

Gold couldn’t confirm whether any of the details in the leaked slide were accurate, but he noted that it doesn’t appear to include the mid-priced smartphones that Heins and other executives have hinted that BlackBerry may launch over the next few quarters.

The PlayBook tablet first went on sale in April 2011, running on what BlackBerry then called the BlackBerry Tablet OS, based on QNX. BlackBerry later said it would merge that tablet operating system into BlackBerry 10. The company also released a major update to the PlayBook tablet operating system in February 2012.

The first release of the PlayBook was criticized for not having native email.

Analysts are not sure that BlackBerry can keep up with production demand for so many new devices that depend on a relatively constrained supply chain for displays and other components. But to boost its global smartphone market share, currently at less than 10%, BlackBerry will need a product lineup with a variety of options.

Source

LinkedIn DropS BWP API

LinkedIn has shut off its API access to “Bang With Professionals,” a Web service that was intended to facilitate more, say, intimate connections among users of the business-oriented social networking site.

The service was designed to allow LinkedIn users to anonymously search for people in their LinkedIn network who would be interested in meeting up for casual sex.

“We all had a good laugh,” the founders of Bang With Professionals said on last Friday on the website, less than a month after its launch. “We all knew it was a matter of time before our API key was revoked.”

LinkedIn said it shut off API (application programming interface) access for the free site, which was intended to work on all desktops and mobile devices, because it violated the social network’s terms of use in a manner that was “inconsistent with the goals of our developer program.”

Among other things, API access isn’t allowed for any application that contains or displays adult content.

Data about the site’s 6,000 subscribers is safe and all their user IDs have been deleted, the founders said. The only thing that remains now is the site’slanding page.

The origins of Bang With Professionals are not unique in the fast-paced social networking landscape. The site was built “by two guys in three days,” the landing page says. The total launch cost was US$57: $40 for stock images, $12 for the domain name and $5 for an account on the server CloudFlare.

The Twitter handle for the site has since been deactivated, but at press time, the Bang With Professionals blog on Tumblr was still accessible.

Source

AP Goes With Twitter

The Associated Press began using its official Twitter account as an advertising platform on Monday, as the news organization looks for new ways to generate revenue.

Samsung Electronics Co Ltd was the first sponsor on the @ap account for breaking news, which is followed by 1.5 million Twitter users. The South Korean electronics maker’s initial “SPONSORED TWEET” promoted its events at the 2013 Consumer Electronics Show in Las Vegas this week.

AP did not disclose financial details of the arrangement.

Twitter, which sells ads directly to make money from the social media’s monthly base of 200 million users, will not receive any proceeds from the AP-Samsung deal.

The AP called the initiative part of a new business strategy and stressed that sponsored tweets will clearly be labeled to differentiate them from news tweets.

The ads provide AP a new income source as news organizations from newspapers to television face severe revenue declines in the face of high production costs.

While the AP was founded in 1846 by U.S. newspapers as a breaking news conduit, only 22 percent of its revenue comes from member fees. Photo licensing, advertising on its news application AP Mobile and YouTube channel are other revenue streams.

Source…

« Previous Page — Next Page »