Security

A Popular Virtual Keyboard App Leaks 31 Million Users' Personal Data (zdnet.com) 65

Zack Whittaker, writing for ZDNet: Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online, after the app's developer failed to secure the database's server. The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users across the world. But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. The database appears to only contain records on the app's Android users.
Republicans

Valuable Republican Donor Database Breached -- By Other Republicans (politico.com) 73

Politico reports: Staffers for Senate Republicans' campaign arm seized information on more than 200,000 donors from the House GOP campaign committee over several months this year by breaking into its computer system, three sources with knowledge of the breach told Politico... Multiple NRSC staffers, who previously worked for the NRCC, used old database login information to gain access to House Republicans' donor lists this year. The donor list that was breached is among the NRCC's most valuable assets, containing not only basic contact information like email addresses and phone numbers but personal information that could be used to entice donors to fork over cash -- information on top issues and key states of interest to different people, the names of family members, and summaries of past donation history... Donor lists like these are of such value to party committees that they can use them as collateral to obtain loans worth millions of dollars when they need cash just before major elections...

"The individuals on these lists are guaranteed money," said a Republican fundraiser. "They will give. These are not your regular D.C. PAC list"... The list has helped the NRCC raise over $77 million this year to defend the House in 2018... Though the House and Senate campaign arms share the similar goal of electing Republican candidates and often coordinate strategy in certain states, they operate on distinct tracks and compete for money from small and large donors.

Long-time Slashdot reader SethJohnson says the data breach "is the result of poor deprovisioning policies within the House Republican Campaign Committee -- allowing staff logins to persist after a person has left the organization."

NRCC officials who learned of the breach "are really pissed," one source told the site.
Mozilla

Mozilla Releases Open Source Speech Recognition Model, Massive Voice Dataset (mozilla.org) 58

Mozilla's VP of Technology Strategy, Sean White, writes: I'm excited to announce the initial release of Mozilla's open source speech recognition model that has an accuracy approaching what humans can perceive when listening to the same recordings... There are only a few commercial quality speech recognition services available, dominated by a small number of large companies. This reduces user choice and available features for startups, researchers or even larger companies that want to speech-enable their products and services. This is why we started DeepSpeech as an open source project.

Together with a community of likeminded developers, companies and researchers, we have applied sophisticated machine learning techniques and a variety of innovations to build a speech-to-text engine that has a word error rate of just 6.5% on LibriSpeech's test-clean dataset. vIn our initial release today, we have included pre-built packages for Python, NodeJS and a command-line binary that developers can use right away to experiment with speech recognition.

The announcement also touts the release of nearly 400,000 recordings -- downloadable by anyone -- as the first offering from Project Common Voice, "the world's second largest publicly available voice dataset." It launched in July "to make it easy for people to donate their voices to a publicly available database, and in doing so build a voice dataset that everyone can use to train new voice-enabled applications." And while they've started with English-language recordings, "we are working hard to ensure that Common Voice will support voice donations in multiple languages beginning in the first half of 2018."

"We at Mozilla believe technology should be open and accessible to all, and that includes voice... As the web expands beyond the 2D page, into the myriad ways where we connect to the Internet through new means like VR, AR, Speech, and languages, we'll continue our mission to ensure the Internet is a global public resource, open and accessible to all."
Businesses

Amazon: Heat From Data Centers Will Be Used as a Furnace (vox.com) 52

Vox reports on Amazon's recent push for "corporate sustainability": It plans to have 15 rooftop solar systems, with a total capacity of around 41 MW, deployed atop fulfillment centers by the end of this year, with plans to have 50 such systems installed by 2020. Amazon was the lead corporate purchaser of green energy in 2016. That year, it also announced its largest wind energy project to date, the 253 MW Amazon Wind Farm Texas. Overall, the company says, it has "announced or commenced construction on wind and solar projects that will generate a total of 3.6 million megawatt hours (MWh) of renewable energy annually."
But here's the most interesting part. GeekWire reports: Amazon is moving ahead with a unique plan to use heat generated from data centers in the nearby Westin Building to warm some of its new buildings downtown. The system transfers the heat from the data centers via water piped underground to the Amazon buildings. The water is then returned to the Westin Building once it's cooled down to help cool the data centers. The setup will be unusual. "Certainly there are other people using waste heat from server farms but you don't hear a lot about tying it in with buildings across the street from each other," said Seattle City Councilmember Mike O'Brien.
Censorship

Hitler Quote Controversy In the BSD Community 500

New submitter Seven Spirals writes: Recently, the FreeBSD folks have removed Fortune with a fairly predictable far right 4chan condemnation. Then last weekend saw a lively debate on NetBSD's current-users mailing list about the inclusion of Hitler quotes in the Fortune database with dozens of posts falling on the left and right. The quotes themselves are fairly tame material probably intended as cautionary. However, the controversy and the reaction of BSD users has been real and very diverse. So far, the result has been to pull Fortune out of FreeBSD and to relocate the quotes into the "offensive" database in NetBSD's case.
Security

'Lazy' Hackers Exploit Microsoft RDP To Install Ransomware (sophos.com) 72

An anonymous reader writes: An investigation by Sophos has uncovered a new, lazy but effective ransomware attack where hackers brute force passwords on computers with [Microsoft's] Remote Desktop Protocol enabled, use off-the-shelf privilege escalation exploits to make themselves admins, turn off security software and then manually run fusty old versions of ransomware.
They even delete the recovery files created by Windows Live backup -- and make sure they can also scramble the database. "Because they've used their sysadmin powers to rig the system to be as insecure as they can, they can often use older versions of ransomware, perhaps even variants that other crooks have given up on and that are now floating around the internet 'for free'."

Most of the attacks hit small-to-medium companies with 30 or fewer employees, since "with small scale comes a dependence on external IT suppliers or 'jack-of-all-trades' IT generalists trying to manage cybersecurity along with many other responsibilities. In one case a victim was attacked repeatedly, because of a weak password used by a third-party application that demanded 24-hour administrator access for its support staff."
Privacy

Why is this Company Tracking Where You Are on Thanksgiving? (theoutline.com) 98

Earlier this week, several publications published a holiday-themed data study about how families that voted for opposite parties spent less time together on Thanksgiving, especially in areas that saw heavy political advertising. The data came from a company called SafeGraph that supplied publications with 17 trillion location markets for 10 million smartphones. A report looks at the bigger picture: The data wasn't just staggering in sheer quantity. It also appears to be extremely granular. Researchers "used this data to identify individuals' home locations, which they defined as the places people were most often located between the hours of 1 and 4 a.m.," wrote The Washington Post. The researchers also looked at where people were between 1 p.m. and 5 p.m. on Thanksgiving Day in order to see if they spent that time at home or traveled, presumably to be with friends or family. "Even better, the cellphone data shows you exactly when those travelers arrived at a Thanksgiving location and when they left," the Post story says. To be clear: This means SafeGraph is looking at an individual device and tracking where its owner is going throughout their day. A common defense from companies that creepily collect massive amounts of data is that the data is only analyzed in aggregate; for example, Google's database BigQuery, which allows organizations to upload big data sets and then query them quickly, promises that all its public data sets are "fully anonymized" and "contain no personally-identifying information." In multiple press releases from SafeGraph's partners, the company's location data is referred to as "anonymized," but in this case they seem to be interpreting the concept of anonymity quite liberally given the specificity of the data.
Facebook

This Time, Facebook Is Sharing Its Employees' Data (fastcompany.com) 45

tedlistens writes from a report via Fast Company: "Facebook routinely shares the sensitive income and employment data of its U.S.-based employees with the Work Number database, owned by Equifax Workforce Solutions," reports Fast Company. "Every week, Facebook provides an electronic data feed of its employees' hourly work and wage information to Equifax Workforce Solutions, formerly known as TALX, a St. Louis-based unit of Equifax, Inc. The Work Number database is managed separately from the Equifax credit bureau database that suffered a breach exposing the data of more than 143 million Americans, but it contains another cache of extensive personal information about Facebook's employees, including their date of birth, social security number, job title, salary, pay raises or decreases, tenure, number of hours worked per week, wages by pay period, healthcare insurance coverage, dental care insurance coverage, and unemployment claim records."

Surprisingly, Facebook is among friends. Every payroll period, Amazon, Microsoft, and Oracle provide an electronic feed of their employees' hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden's former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to the Equifax Work Number database. It now contains over 296 million employment records for employees at all wage levels, from CEOs to interns. The database helps streamline various processes for employers and even federal government agencies, says Equifax. But databases like the Work Number also come with considerable risks. As consumer journalist Bob Sullivan puts it, Equifax, "with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans' personal information ever created." On October 8, a month after Equifax announced its giant data breach, security expert Brian Krebs uncovered a gaping hole in the separate Work Number online consumer application portal, which allowed anyone to view a person's salary and employment history "using little more than someone's Social Security number and date of birth -- both data elements that were stolen in the recent breach at Equifax."

Security

Man Who Sent GIF of Laughing Mouse To Employer After DDoS Attack Is Now Arrested (bleepingcomputer.com) 75

An anonymous reader writes: The FBI has arrested and charged a man for launching DDoS attacks against a wide range of targets, including his former employer, a Minnesota-based PoS repair shop. The man, who bought access to a VPN but didn't use it all the time, was caught after registering email accounts and sending taunting emails to victims, including his former employer. The taunting emails also included a GIF image of a laughing mouse, which eventually tied the man to the DDoS attacks as well. The guy also uploaded the image on Facebook in a post that asked people to join in DDoS attacks on banks as part of Anonymous' Operation Icarus. The suspect also created the fake email accounts using the name of another former colleague, trying to pin suspicions on him. The FBI was not only able to track the man's real IP address, but they also tied him to attacks without a doubt because he used a DDoS-for-hire service that was hacked and its database was shared with the FBI.
Security

How AV Can Open You To Attacks That Otherwise Wouldn't Be Possible (arstechnica.com) 34

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.
Facebook

Facebook To Fight Revenge Porn by Letting Potential Victims Upload Nudes in Advance (bleepingcomputer.com) 370

Catalin Cimpanu, writing for BleepingComputer: Facebook is testing new technology that is designed to help victims of revenge porn acts. It works on a database of file hashes, a cryptographic signature computed for each file. Facebook says that once an abuser tries to upload an image marked as "revenge porn" in its database, its system will block the upload process. This will work for images shared on the main Facebook service, but also for images shared privately via Messenger, Facebook's IM app. The weird thing is that in order to build a database of "revenge porn" file hashes, Facebook will rely on potential victims uploading a copy of the nude photo in advance. This process involves the victim sending a copy of the nude photo to his own account, via Facebook Messenger. This implies uploading a copy of the nude photo on Facebook Messenger, the very same act the victim is trying to prevent. The victim can then report the photo to Facebook, which will create a hash of the image that the social network will use to block further uploads of the same photo.
Software

NVIDIA-Powered Neural Network Produces Freakishly Natural Fake Human Photos (hothardware.com) 140

MojoKid writes: NVIDIA released a paper recently detailing a new machine learning methodology for generating unique and realistic looking faces using a generative adversarial network (GAN). The result is the ability to artificially render photorealistic human faces of "unprecedented quality." NVIDIA achieves this by using an algorithm that pairs two neural networks -- a generator and a discriminator -- that compete against each other. The generator starts from a low resolution image and builds upon it, while the discriminator assesses the results, sort of like a constant critic, pointing out where things have gone wrong. The GAN is not a new technology, but where NVIDIA differentiates is through the progressive training method it developed. NVIDIA took a database of photographs of famous people and used that to train its system. By working together, the neural networks were able to produce fake images that are nearly indistinguishable from real human photographs, and a little creepy too.
IT

HTTP 103 - An HTTP Status Code for Indicating Hints (ietf.org) 50

The Internet Task Engineering Group (IETF) has approved the new HTTP status code 103. The new status code is intended to "minimize perceived latency." From the circular: It is common for HTTP responses to contain links to external resources that need to be fetched prior to their use; for example, rendering HTML by a Web browser. Having such links available to the client as early as possible helps to minimize perceived latency. The "preload" ([Preload]) link relation can be used to convey such links in the Link header field of an HTTP response. However, it is not always possible for an origin server to generate the header block of a final response immediately after receiving a request. For example, the origin server might delegate a request to an upstream HTTP server running at a distant location, or the status code might depend on the result of a database query. The dilemma here is that even though it is preferable for an origin server to send some header fields as soon as it receives a request, it cannot do so until the status code and the full header fields of the final HTTP response are determined. [...] The 103 (Early Hints) informational status code indicates to the client that the server is likely to send a final response with the header fields included in the informational response. Typically, a server will include the header fields sent in a 103 (Early Hints) response in the final response as well. However, there might be cases when this is not desirable, such as when the server learns that they are not correct before the final response is sent. A client can speculatively evaluate the header fields included in a 103 (Early Hints) response while waiting for the final response. For example, a client might recognize a Link header field value containing the relation type "preload" and start fetching the target resource. However, these header fields only provide hints to the client; they do not replace the header fields on the final response. Aside from performance optimizations, such evaluation of the 103 (Early Hints) response's header fields MUST NOT affect how the final response is processed. A client MUST NOT interpret the 103 (Early Hints) response header fields as if they applied to the informational response itself (e.g., as metadata about the 103 (Early Hints) response).
Facebook

Facebook Says 126 Million Americans May Have Seen Russia-Linked Political Posts (reuters.com) 370

Facebook said on Monday that Russia-based operatives published about 80,000 posts on the social network over a two-year period in an effort to sway U.S. politics and that about 126 million Americans may have seen the posts during that time. Reuters reports: Facebook's latest data on the Russia-linked posts - possibly reaching around half of the U.S. population of voting age - far exceeds the company's previous disclosures. It was included in written testimony provided to U.S. lawmakers, and seen by Reuters, ahead of key hearings with social media and technology companies about Russian meddling in elections on Capitol Hill this week. Twitter separately has found 2,752 accounts linked to Russian operatives, a source familiar with the company's written testimony said. That estimate is up from a tally of 201 accounts that Twitter reported in September. Google, owned by Alphabet, said in a statement on Monday it had found $4,700 in Russia-linked ad spending during the 2016 U.S. election cycle, and that it would build a database of election ads. Facebook's general counsel, Colin Stretch, said in the written testimony that the 80,000 posts from Russia's Internet Research Agency were a tiny fraction of content on Facebook, equal to one out of 23,000 posts.
Software

Indiana Is Purging Voters Using Software That's 99 Percent Inaccurate, Lawsuit Alleges (thedailybeast.com) 509

An anonymous reader quotes a report from The Daily Beast: More than 99 percent of voter fraud identified by a GOP-backed program is false, a study by Harvard, Yale, and Microsoft researchers found. Now Indiana is using the faulty program to de-register voters without warning. In July, Indiana rolled out a new law allowing county officials to purge voter registrations on the spot, based on information from a dubious database aimed at preventing voter fraud. That database, the Interstate Voter Registration Crosscheck Program, identifies people in different states who share the same name and birthdate. Crosscheck has long been criticized as using vague criteria that disproportionately target people of color. Now Indiana voters who share a name and birthdate with another American can have their registrations removed without warning -- a system ripe for abuse, a new lawsuit claims. Crosscheck's premise is simple. The program aims to crack down on people "double voting" in multiple states, by listing people who share a first name, last name, and birthdate.

Indiana has used Crosscheck for years. But until July, the state had a series of checks on the program. If Crosscheck found that an Indiana resident's name and birthdate matched that of a person in another state, Indiana law used to require officials to ask that person to confirm their address, or wait until that person went two general election cycles without voting, before the person's name was purged from Indiana voter rolls. Under the state's new law, officials can scrub a voter from the rolls immediately. That's a problem for Indiana residents, particularly people of color, a Friday lawsuit from Common Cause and the American Civil Liberties Union argues.

Security

While Equifax Victims Sue, Congress Limits Financial Class Actions (marketwatch.com) 190

An anonymous reader quotes a local NBC news report: Stories are starting to pour in about those impacted by last month's massive Equifax data breach, which compromised the private information of more than 140 million people. Katie Van Fleet of Seattle says she's spent months trying to regain her stolen identity, and says it has been stolen more than a dozen times. "I kept receiving letters from Kohl's, from Macy's, from Home Depot, from Old Navy saying 'thank you for your application,'" she said to CNN affiliate KCPQ. But she says she's never applied for credit from any of those places. Instead, Van Fleet and her attorney Catherine Fleming say they believe her personal data was stolen during the massive Equifax security breach... Fleming has filed a class-action lawsuit against Equifax, saying they were negligent in losing private information on more than 140 million Americans... "Countless people, I mean, I've really, truly lost count, and the stories that like Katie's, the stories I hear are heart-wrenching," Fleming said.
But are things about to get worse? Marketwatch reports: It will become harder for consumers to sue their banks or companies like Equifax... The Senate voted Tuesday night to overturn a rule the Consumer Financial Protection Bureau worked on for more than five years. The final version of the rule banned companies from putting "mandatory arbitration clauses" in their contracts, language that prohibits consumers from bringing class-action lawsuits against them. It applies to institutions that sell financial products, including bank accounts and credit cards. Consumer advocates say it's good news for companies like Wells Fargo or Equifax, which have both had class-action lawsuits filed against them, and bad news for their customers... Lisa Gilbert, the vice president of legislative affairs at Public Citizen, a nonprofit based in Washington, D.C., said the Senate vote shouldn't impact cases that are already ongoing. However, there will "certainly" be more forced arbitration clauses in contracts in the future, and fewer cases brought against companies, she said.
Data Storage

US Voting Server At Heart of Russian Hack Probe Mysteriously Wiped (theregister.co.uk) 431

A computer at the center of a lawsuit digging into Russian interference in the U.S. presidential election has been wiped. "The server in question is based in Georgia -- a state that narrowly backed Donald Trump, giving him 16 electoral votes -- and stored the results of the state's vote-management system," reports The Register. "The deletion of its filesystem data makes analysis of whether the system was compromised impossible to ascertain." From the report: There is good reason to believe that the computer may have been tampered with: it is 15 years old, and could be harboring all sorts of exploitable software and hardware vulnerabilities. No hard copies of the votes are kept, making the electronic copy the only official record. While investigating the Kennesaw State University's Center for Election Systems, which oversees Georgia's voting system, last year, security researcher Logan Lamb found its system was misconfigured, exposing the state's entire voter registration records, multiple PDFs with instructions and passwords for election workers, and the software systems used to tally votes cast. Despite Lamb letting the election center knows of his findings, the security holes were left unpatched for seven months. He later went public after the U.S. security services announced there had been a determined effort by the Russian government to sway the presidential elections, including looking at compromising electronic voting machines.

In an effort to force the state to scrap the system, a number of Georgia voters bandied together and sued. They asked for an independent security review of the server, expecting to find flaws that would lend weight to their argument for investment in a more modern and secure system. But emails released this week following a Freedom of Information Act request reveal that technicians at the election center deleted the server's data on July 7 -- just days after the lawsuit was filed. The memos reveal multiple references to the data wipe, including a message sent just last week from an assistant state attorney general to the plaintiffs in the case. That same email also notes that backups of the server data were also deleted more than a month after the initial wipe -- just as the lawsuit moved to a federal court. It is unclear who ordered the destruction of the data, and why, but they have raised yet more suspicions of collusion between the Trump campaign team, the Republican Party, and the Russian government.

Security

With Rising Database Breaches, Two-Factor Authentication Also At Risk (hackaday.com) 84

Two-factor authentication "protects from an attacker listening in right now," writes Slashdot reader szczys, "but in many case a database breach will negate the protections of two-factor." Hackaday reports: To fake an app-based 2FA query, someone has to know your TOTP password. That's all, and that's relatively easy. And in the event that the TOTP-key database gets compromised, the bad hackers will know everyone's TOTP keys.

How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle's flash memory, and the device was shipped with it installed. This was pretty plausibly "something you had" even though it was based on a secret number embedded in silicon. (More like "something you don't know?") The app authenticators are doing something very similar, even though it's all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into "something I know", at least for me.
The original submission calls two-factor authentication "an enhancement to password security, but good password practices are far and away still the most important of security protocols." (Meaning complex and frequently-changed passwords.)
Google

On the Google Book Scanning Project and the Library We Will Never See (theatlantic.com) 165

For a decade, Google's enormous project to create a massive digital library of books was embroiled in litigation with a group of writers who say it was costing them a lot of money in lost revenue. Even as Google notched a victory when a federal appeals court ruled that the company's project was fair use, the company quietly shut down the project. From an article published in April this year: Despite eventually winning Authors Guild v. Google, and having the courts declare that displaying snippets of copyrighted books was fair use, the company all but shut down its scanning operation. It was strange to me, the idea that somewhere at Google there is a database containing 25-million books and nobody is allowed to read them. It's like that scene at the end of the first Indiana Jones movie where they put the Ark of the Covenant back on a shelf somewhere, lost in the chaos of a vast warehouse. It's there. The books are there. People have been trying to build a library like this for ages -- to do so, they've said, would be to erect one of the great humanitarian artifacts of all time -- and here we've done the work to make it real and we were about to give it to the world and now, instead, it's 50 or 60 petabytes on disk, and the only people who can see it are half a dozen engineers on the project who happen to have access because they're the ones responsible for locking it up. But Google seems to be thinking ways to make use of it, it appears. Last month, it added a new feature to its search function that instantly connects you with eBook data from libraries near you. From a report: Now, every time you search for a book through Google, information about your local library rental options will be easily available. Yeah, that's right. Your local library not only still exists, but it has eBooks, which are things you can totally borrow (for free) online! Before, this perk was hidden somewhere deep within your local library's website -- assuming it had one -- but now these free literary wonders are all yours for the taking.
Google

How Google's Pixel 2 'Now Playing' Song Identification Works (venturebeat.com) 129

An anonymous reader shares a report from VentureBeat, written by Emil Protalinski: The most interesting Google Pixel 2 and Pixel 2 XL feature, to me, is Now Playing. If you've ever used Shazam or SoundHound, you probably understand the basics: The app uses your device's microphone to capture an audio sample and creates an acoustic fingerprint to compare against a central song database. If a match is found, information such as the song title and artist are sent back to the user. Now Playing achieves this with two important differentiators. First, Now Playing detects songs automatically without you explicitly asking -- the feature works when your phone is locked and the information is displayed on the Pixel 2's lock screen (you'll eventually be able to ask Google Assistant what's currently playing, but not yet). Secondly, it's an on-device and local feature: Now Playing functions completely offline (we tested this, and indeed it works with mobile data and Wi-Fi turned off). No audio is ever sent to Google.

Slashdot Top Deals