Edward Snowden designs phone case to show when data is being monitored

Snowden and co-designer Andrew ‘Bunnie’ Huang’s ‘introspection engine’ knows when a cellular, Wi-Fi or Bluetooth connection is being used to share data

American whistleblower Edward Snowden delivers a speech during the Roskilde Festival in Denmark last month.

---

Edward Snowden has helped design a mobile phone case called the “introspection engine” that, he claims, will show when a smartphone is transmitting information that could be monitored.

Presenting via video link to event at the MIT Media Lab in Cambridge, Massachusetts, Snowden and co-designer Andrew “Bunnie” Huang showed how the device connects to a phone’s different radio transmitters, showing its owner knows when a cellular, Wi-Fi or Bluetooth connection is being used to share or receive data.

Initial mockups of the introspection engine show a small, monochromatic display built into its casing shows whether the phone is “dark”, or whether it is transmitting, and it also can supply an iPhone with extra battery power and cover the rear-facing camera.

It could be developed to act as a sort of “kill switch” that would disconnect a phone’s power supply when it detects that a radio is transmitting data after its owner has attempted to turn it off.

The device is an academic project and nowhere near ready for the mass market, but could still influence how consumers view the “tracking devices” – otherwise known as smartphones that they rely on every day.

“If you have a phone in your pocket that’s turned on, a long-lived record of your movements has been created,” Snowden said. “As a result of the way the cell network functions your device is constantly shouting into the air by means of radio signals a unique identity that validates you to the phone company. And this unique identity is not only saved by that phone company, but it can also be observed as it travels over the air by independent, even more dangerous third parties.”

Most smartphones disable Wi-Fi, Bluetooth and cellular transmission when in airplane mode, but Snowden and Huang say that can’t be trusted.

“Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface,” they write in their paper on the device. “Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”

The project is an extension of Snowden’s work to inform the public about the surveillance capabilities available to governments around the world. In June 2013 he revealed information about mass surveillance programs from the National Security Agency, where he was a contractor, and he has since become the closest thing digital security has to Neil DeGrasse Tyson or Bill Nye: a recognizable name that can explain these issues in a way the average person can understand.

In addition to educating people about security risks, he now wants to help citizens defend themselves – if the introspection engine ever becomes a reality.

Snowden and Huang say there’s no guarantee the device will ever be more than a mockup. “Over the coming year, we hope to prototype and verify the introspection engine’s abilities,” they write. “As the project is run largely through volunteer efforts on a shoestring budget, it will proceed at a pace reflecting the practical limitations of donated time.” If they do receive the proper funding, they could release the device in partnership with the Freedom of the Press Foundation media advocacy group.

Snowden said the introspection engine was designed to help protect journalists. “One good journalist in the right place at the right time can change history. One good journalist can move the needle in the context of an election. One well-placed journalist can influence the outcome of a war,” he said.

“This makes them a target, and increasingly the tools of their trade [are] being used against them. Our technology is beginning to betray us not just as individuals but as classes of workers, particularly those who are putting a lot on the line in the public interest.”

Sunday Times war correspondent Marie Colvin was reportedly killed in Syria after government forces were able to trace her position, according to a new lawsuit.

Snowden and Huang are concentrating on working with Apple’s iPhone, but also said the device could be modified to work on other smartphones. It’s not immediately clear how Apple will respond to the introspection engine; while it has worked to give consumers security features meant to thwart even sophisticated attackers, the company might not be fond of a device that can separate an iPhone from all networks. Apple has not responded to a request for comment.

Still, the connection to Snowden and the rush of attention following MIT Media Lab’s event might inspire others to work on devices similar to the introspection engine. Even if the tool never becomes more than an interesting subject discussed at an academic conference, it could lead to consumers having more control over what exactly their iPhone is sharing from their pockets.

Source: The Guardian UK

Read More

Police recreate murder victim’s finger so they can unlock his iPhone

It could be the crucial clue to solving a murder mystery.

A lab in Michigan has managed to recreate a dead man’s finger

---

A dead man’s finger has been 3D printed at a Michigan lab in order to unlock their iPhone.

Police hope that the technology will help catch the killer who remains at large, reports Fusion.net

A set of fingerprints the police took from the victim during an unrelated arrest were taken to the lab in Michigan State University where they were used as blueprints.

Anil Jain and his team at the lab are still perfecting the fingers

---

Computer science professor Anil Jain, who specialises in biometric identifiers like fingerprint scanners, created a 3D printed replica of all ten fingers.

Anil told Fusion that the police are not sure which finger the victim used to unlock his phone.

He said: ‘We think it’s going to be the thumb or index finger, that’s what most people use, but we have all ten.’

iPhones use a capacitive sensor to identify fingerprints – an electrical charge that can only be detected through a living person.

Police hope one of the fingers will allow them to access the victim’s iPhone

---

But after a person dies, the tissue in the skin starts to deteriorate, therefore the electrical charge is lost.

To overcome this, Anil had to coat the 3D fingers in a thin layer of metallic particles.

The fingers now need to be tested and refined before they are handed back to the police for use.

It is still not full proof as the police may still require a passcode if the touch screen has not been used for 48 hours.

Their investigation continues.

Read More

KickAssTorrents down: US authorities seize domain name in move that could kill world’s biggest torrent site

The suspected founder of the site has been arrested and it could never go back online

Protesters demonstrate in Stockholm over the conviction of four men involved with The Pirate Bay filesharing site

---

The world’s biggest torrent site has been taken offline and could never go back up.

US authorities have seized the KickAssTorrents domain name in an operation that also saw them arrest a man who is alleged to have run the file-sharing site.

The website was by many measures the biggest file-sharing website in the world. But it now appears that it could never return, since the US government now owns all of the domains that it operates under.

KickAssTorrents has regularly moved to different domains registered around the world, as authorities have cut off access to specific addresses. Those have included kickasstorrents.com, kat.ph, kickass.to, kickass.so and kat.cr, all of which have been run from places around the world.

Access to the site had already been blocked by courts in the United Kingdom, Ireland, Italy, Denmark, Belgium and Malaysia.

But now that the site has been taken offline it won’t be able to be accessed through VPNs, mirrors or any other workarounds.

The site’s net worth has been estimated at $54 million, according to the US government, which is based on the millions of dollars of advertising money that is generated through the website.

Read More

Investigatory Powers Bill: Theresa May-led legislation could be killed by ruling from European Court, privacy campaigners claim

The case was originally brought by a member of Ms May's own cabinet

During her speech at the 2011 Conservative Party conference, Theresa May announced plans to clamp down on illegal immigrants hiding behind the human rights act

---

A European Court of Justice ruling could deal a “serious blow” to Theresa May’s most prized piece of legislation, campaigners have said.

The new Prime Minister’s time in her previous job as Home Secretary was arguably defined by her oversight of the Investigatory Powers Bill – which hands over vastly more spying powers to police and other agencies, and forces internet companies to store information about users’ entire browsing history. But that bill could have been dealt a serious blow by a case brought by a member of her own cabinet.

The European Court of Justice heard a case against the government’s powers to store data on their own citizens, arguing that such bulk collection is not legal. And though the court’s advocate general said that such storage might be legal – its findings could still cause huge problems for Theresa May’s spying powers.

The case had originally been brought by a group including David Davis, the Conservative MP who has campaigned on privacy issues. But he dropped off the case in the last week, soon after he re-joined the cabinet.

Campaign group Privacy International said that the opinion is a “serious blow” to the bill, and that the full judgement from the court is likely to cause further problems.

“The bulk powers - what we would call mass surveillance powers - embedded throughout the IPBill go far beyond tackling serious crime,” said Privacy International’s general counsel, Caroline Wilson Palow. “They would give a range of public bodies, not just the Police and intelligence agencies, the power to access the personal data of innocent people, often without any form of warrant.

“The Advocate General's opinion supports our calls for much stricter safeguards and oversight to protect us from serious violations of our privacy - including that all access to our data, including communications data, must be authorised by an independent authority such as a judge.”

The group said that the opinion should serve as “a wake up call for lawmakers that the IPBill's powers and safeguards need to be overhauled."

Green Party peers agreed that the opinion should lead lawmakers to rewrite major parts of the bill.

“Today’s European Court of Justice ruling - that bulk data collection is only lawful if it is used to tackle serious crime - makes it clearer than ever that the Investigatory Powers Bill currently passing through the House of Lords is simply not fit for purpose,” said Baroness Jones of Moulsecoomb, who represents the Green Party in the House of Lords.

“The Bill poses serious risks to our civil liberties, sanctioning unprecedented surveillance of citizens’ communications and failing to put in place sufficient safeguards against the misuse of powers granted to the security services."

Read More

Pokemon Go: Wanted criminal arrested after visiting 'gym' at police station

Police recognised the man, who had a warrant out for his arrest

While playing Pokémon Go, one Michigan criminal found the last thing he was looking for: the police.

William Wilcox found himself at the Milford police station while playing the augmented reality game. The station had been listed as a “gym”, where gamers can claim and catch other Pokémon.

Mr Wilcox had a warrant for his arrest, however, and police nabbed him on the spot.

Police told NBC affiliate KCBD that the game simply made the job easier.

“Fortunately, sometimes they make our job easy for us,” said police chief Tom Lindberg.

“The original charge he had was for breaking and entering, but the warrant was for failure to appear for sentencing. He either forgot he had a warrant out for his arrest or was just ignoring it thinking nothing will happen.”

Given the fact that Milford – a town 30 miles north of Ann Arbor – has a population under 6,500, police recognised Mr Wilcox when he arrived at the station.

Mr Wilcox was arraigned and released, apparently unphased by the time in police custody.

“I think he was more upset that he had to stop playing the game,” said Mr Lindberg, adding that this could have been avoided if Mr Wilcox were more mindful of his surroundings.

“Don’t just walk into the police building and start playing the game,” he said. “Most of those characters will appear outside the building."

Read More

Google My Activity shows everything that company knows about its users – and there’s a lot

The new site collects every website you’ve been on, everything you’ve searched and many of the things you’ve done with your phone

There's a lot to see

---

Google has launched a new site that shows absolutely everything it knows about its users. And there’s an awful lot of it.

The new My Activity page collects all of the data that Google has generated by watching its customers as they move around the web. And depending on your settings that could include a comprehensive list of the websites you’ve visited and the things you’ve done with your phone.

Google has long allowed its users to see the kinds of information that is being generated as people use the company’s products, including letting people listen in on automated recordings that it has made of its users. But the new page collects them together in a more accessible – and potentially more terrifying – way than ever before.

The page shows a full catalogue of pages visited, things searched and other activity, grouped by time. It also lets people look at the same timeline through filters – looking at specific dates, which go all the way into the past, and specific products like Google search, YouTube or Android.

When users open up the page for the first time, pop-ups make the case for why it has been launched and why Google collects quite so much data. You can use the site to “rediscover the things you’ve searched for, visited and watched on Google services” and help “delete specific items or entire topics”.

All of the information that’s used is how Google uses its ads services. By tracking people around the internet it can tailor those ads – but people can use the same site to opt out from the tracking entirely, or just delete information that they would rather wasn’t used for advertising.

Users aren’t automatically opted into the interest-based advertising tools, despite heavily rolling out the feature. The site asks people instead to turn it on – encouraging people to do so because it makes adverting more helpful and muting any specific ads that people don’t want to see.

Read More

Theresa May could launch huge attack on privacy and internet surveillance protections as prime minister, campaigners warn

The new Prime Minister was labelled the villain of the year by the internet industry, and has come to stand for many of the most invasive parts of the modern surveillance state

Britain's Home Secretary Theresa May passes a police officer as she arrives in Downing Street

---

Theresa May might have some fans but her time in the Home Office will also be remembered less favourably – by the privacy campaigners and internet industry that named her “villain of the year”.

Ms May’s time in the Home Office has been marked by conflicts with the biggest technology and internet companies over laws that would see them forced to break their own security to help surveillance. That has come despite an apparent commitment to liberal ideals in her campaign speeches, leaving many campaigners worried that she might actually pursue more aggressive policies despite her public statements.

"Theresa May has been a draconian Home Secretary, introducing the wrong policies at the wrong times for the wrong reasons,” said Harmit Kambo, campaigns director at Privacy International. “Instead of responding to public alarm about the Edward Snowden disclosures by rolling back state surveillance powers, she has instead ratcheted it up with the Investigatory Powers Bill, the most intrusive surveillance legislation of any democratic country.”

The Investigatory Powers Bill – which in its earlier form was stopped by the Liberal Democrats – looked to hand huge new surveillance powers to bodies including the police and spies. It seems to force companies to weaken their own security technology to let those authorities in, and compels internet companies to store huge amounts of data on their customers’ browsing histories, which can be accessed at any time by the Government.

Ms May’s pushing of that bill put her in a bitter and unprecedentedly public dispute with many of the biggest technology companies – including Apple, Facebook and Google – over whether the law should be passed. Campaigners argued that it was a law that allowed more intrusive surveillance than anywhere else in the world.

Her commitment to strengthening surveillance and rolling back privacy could be further strengthened by the fact that Brexit could allow the UK to opt out of many of the European laws that safeguard people’s privacy, campaigners have warned.

The first test of Ms May’s approach to surveillance will come when European courts decide on a dispute between the Government and two MPs, David Davis and Tom Watson, who argue that the DRIPA legislation that is used to spy on Britons is unlawful. The court is expected to give a preliminary judgement later this month, though it will not in itself be binding.

Campaigners say that it will be important to watch how Ms May responds to the judgement, which could compel the Government to change some of its surveillance practices. Though the UK has voted to leave the EU, it is bound to accept its judgements until it actually does so and the degree to which the new Prime Minister accepts them could define her time in power.

In the longer term, how Ms May chooses to deal with the various parts of European law that will be scrappable could define her approach to privacy. EU rules have been a restraining factor on Ms May’s Home Office, serving as a framework that protects against certain data protection abuses and forces companies to look after information in particular ways.

“If [Theresa May] goes for a full-on exit from European law, we’re going to have some really fundamental challenges,” said Jim Killock, the executive director of the Open Rights Group. “What happens to data protection law? Do we have the same standards, or ones that are similar or weaker?”

The same questions can be asked of electronic privacy regulations, net neutrality, safe harbour rules and copyright. “Nearly everything we do that’s digital is European law at the moment”, notes Mr Killock, and all of them can be re-written once Britain leaves the EU.

In the wake of all of those decisions, we could encounter problems because there will be a rush towards getting rid of regulations rather than preserving or re-writing them. The UK parliament has shown little interest in deciding on laws governing digital rights and privacy, potentially meaning that those decisions will be made by civil servants instead.

Much of the surveillance and anti-terror policy that Ms May has been criticised for began under the Labour government that preceded her. And the Home Office has gradually moved towards an approach of assuming that the best amount of surveillance is also the most, and that it is best limited by legislation that decides how exactly it can be used rather than how much data can be stored.

That will mean that the new Home Secretary is likely to keep much of the same surveillance policy, whoever is chosen to take on Ms May’s now vacant job.

Campaigners have also pointed to reasons for believing that Ms May’s new and public commitment to liberal policies could signal a switch towards being more open about privacy.

“While in opposition she opposed the introduction of ID cards,” said Mr Kambo. “As Home Secretary she has reformed police stop and search powers and has strongly supported equal marriage. She has also recently indicated that she will not pursue earlier plans to pull out of the European Convention of Human Rights, admittedly only because the majority of Parliament opposes withdrawal, not because she does.”

Read More

Whatever you do DON'T open these emails from 'Apple' and 'Facebook'

EXPERTS warn that a flood of spoof emails are trying to trick Apple and Facebook fans into handing over sensitive personal data.

WARNING: Experts are warning users to be aware about a flood of email scams

---

Web users are being told to pay extra care when opening any emails claiming to be from Apple, Twitter or Facebook.

The warning comes after a new “email spoofing ” campaign by cyber criminals has been spotted by security experts.

Criminals are pretending to be from top tech companies in the hope of duping users into handing over private and sensitive data.

Users tricked by the scam are often persuaded to hand over their personal details, which are then stolen and sold on for profit by the hackers.

WARNING: Apple users have been targeted by this scam

---

A survey by security firm Detectify found that over half of the world’s most popular domains were being used by imposters in their scams.

Along with top social media sites, major news and media sites were also identified as being a major target for criminals, meaning some users could face spam bombardment from multiple sources.

The news comes just weeks after Apple users were hit by text scam.

Over the past few months a number of elaborate attacks have already attempted to dupe iPhone owners into handing over user names and passwords.

And according to security researchers at FireEye it's a growing problem.

These phising campaigns are used to unearth the Apple ID and passwords of Apple users, which can be used to gain entry to their accounts – and can be combined with stolen credit card information to make purchases via the Apple Store.

Some 86 phishing domains have already been logged since January 2016.

The advice from tech companies is clear with Apple stating: "The iTunes Store will never ask you to provide personal information or sensitive account information (such as passwords or credit card numbers) via email.

"Email messages that contain attachments or links to non-Apple websites are from sources other than Apple, although they may appear to be from the iTunes Store.

"Most often, these attachments are malicious and should not be opened.

"You should never enter your Apple account information on any non-Apple website."

Read More

Are YOU on the FBI's SECRET facial scanning database?

AN ALARMING number of citizens are included in the most advanced facial recognition service run by the US' top law enforcement agency, a new report has claimed.

Facial scanning is more widespread than thought as law enforcement agencies step up their activity

---

New fears have been raised about the scale of the US government's cyber surveillance after figures revealed just how huge its operations really are.

An investigation has found that a staggering 411 million photos are currently being stored in the FBI's facial recognition database – that's more than one photo of every citizen in the United States.

The terrifying scale of the FBI's operations comes courtesy of a Government Accountability Office report commissioned by senior government body the Senate Privacy and Technology Subcommittee.

Facial recognition scans could be tracking you

Facial recognition scans could be being used by the government to keep tabs on you

---

The report raised some particularly worrying issues about how the FBI audits its own use of facial recognition technology, or even how accurate its systems are, according to one top politician.

173 million of the pictures apparently come from the driving licences of US citizens, the report says.

US Senator Al Franken, the top democrat in charge of the report, said that the report, "raises some very serious concerns, and reveals that the FBI’s use of facial recognition technology is far greater than had previously been understood."

The FBI is using extensive facial scanning services, the report found

---

The FBI began using its system in April 2015, and since then its agents have carried out more than 36,000 scans, the report says.

When presented with an image of an individual, the database can provide investigators with as many as 50 matching faces it suggests may be a fit.

Along with facial recognition, the agency's database also contains biometric data such as fingerprint readings and retina scans, all of which could be used to identify an individual.

However such information is often not given with the individual's consent, being taken either as part of police questioning or even when an individual enters the US at an airport.

Fears have been growing about the US government's facial tracking capabilities for several years following the numerous disclosures by famous whistleblower Edward Snowden.

This includes the fact that the National Security Agency (NSA) intercepts “millions of images per day”, around 55,000 of which are “facial recognition quality”, according to a secret 2011 document.

But facial recognition technology is also becoming increasingly popular among consumers as they search for a more personal way to secure their devices.

Edward Snowden told the world about the FBI's tracking

---

Apple confirmed earlier this week that its new iOS 10 mobile software will use facial recognition tools to scan a user's pictures and identify particular people.

This will allow its Apple Photos app to collect together images of a group of friends or family members and create personalised photo albums.

Windows 10 also offers a facial recognition unlock function using its Windows Hello program, which scans a user's face to open up their device.

Source: Express UK

Read More

WARNING: This terrifying new virus locks YOU out of your TV, and then CHARGES you

SECURITY experts have warned about a growing number of cyberattacks on televisions – which lock out the viewer until they pay a ransom. Here's everything you need to know about the terrifying trend.

Dangerous new malware could halt your watching time by locking you out of your TV

---

Your television could be the next major target for computer hackers.

Security experts have warned that a dangerous new form of virus aimed at smart TVs is on the rise.

Hackers are increasingly looking to attack television sets from abroad, locking users out of their device and leaving them unable to watch unless they pay a sizeable ransom.

The attacks, known as " ransomware", make the lockdown appear like an official organisation, such as police or law enforcement agency has shutdown the affected device.

The warnings often claim illegal content or connections have been made from your TV. This block will then only be lifted when the victim pays a certain ransom to the criminals.

The FLocker ransomware poses as the police to scare users into paying out

---

That's the warning from security firm Trend Micro, which says it has seen a dramatic increase in the number of attacks targetted at televisions and other smart home products.

This includes viruses that previously only affected smartphones. Android devices in particular have become popular targets for hackers and other cybercrime firms.

The latest attack spotted by Trend Micro claims to be an official warning by the US Cyber Police.

It hijacks a TV set and delivers a warning that the device will remain locked until the victim hands over $200 worth of iTunes gift cards.

As television attacks are such a new form of attack, there's not much that can immediately be done until more security firms understand how the attack works.

If you are attacked, however, Trend Micro recommends contacting your TV's maker for assistance, and only installing apps onto your devices from well-known sources such as Google Play.

Hackers are turning to ransomware for big payouts

---

Ransomware is one of the fastest-growing cybercrime trends as cyber-criminals look to target more victims than ever before.

The tactic has even begun to hit Apple's Mac devices, as a campaign discovered back in March was affecting a number of users who downloaded software from an unauthorised source, and were then forced to pay a ransom of 1 bit coin ($400).

And hackers have increased their attacks after several victims paid out big money to free themselves from ransomware.

One of the most lucrative payouts saw a hospital in Hollywood shell out more than £11,000 in bit coins after its computer systems were left crippled after an attack.

Android users were also warned about the security of their devices earlier this year following a campaign that threatened to wipe users' phones simply by opening a text message that then downloaded dodgy software to the device.

Source: Express UK

Read More

Hackers are using this nasty text message trick to break into people's accounts

The attacker can sometimes even spoof their identity - so the text looks like it comes from Google, or Facebook

he hacker enters the victim's password, followed by an ill-gotten 2FA code, and they're in

---

Two-factor authentication is a godsend for securing your accounts.

It requires a second level of proof of who you are - typically a code sent to your phone - before you can log in. This prevents anyone from gaining unauthorised access to your account, even if they manage to get hold of your password.

However, hackers and hijackers are managing to find ways around it.

Earlier this week, Alex MacCaw, cofounder data API company Clearbit, shared a screenshot of a text attempting to trick its way past Two-factor authentication (2FA) on a Google account.

Here's how it works:

The attacker sends the target a text message, pretending to be the very company that the target has an account with.

They say they have detected “suspicious” activity to the account, and so are sending the 2FA code to the target, which they should then text back to them to avoid having their account locked.

The victim, worried they are being hacked and not wanting to lose access to their data, sends the code back, believing they have thwarted the attempted hack.

But in doing so, they actually give the hacker the one thing they needed to break into the account.

The hacker enters the victim's password, followed by this ill-gotten 2FA code, and they're in.

The attacker can sometimes even spoof their identity - so the text looks like it comes from Google, or Facebook, or Apple, rather than an unknown number.

Of course, the attacker still needs the victim's password for this to work. But there are a number of ways they could get hold of it. Often they look at data dumps from old hacks for emails/usernames and passwords which they then try on other sites, because so many people reuse passwords across multiple accounts and platforms.

Huge databases of tens of millions of email addresses and passwords have been floating around in the last few weeks - notably from LinkedIn and MySpace. So if you reuse passwords, your login details may be being shared online right now without you realising.

Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC

— Alex MacCaw (@maccaw) June 4, 2016

The text message that Alex MacCaw shared on Twitter is above.

To stay safe, use a strong, unique password for every account you have - managing them all with a password manager if necessary - and don't text your Two-factor authentication codes to anyone, even if they appear legitimate.

Source: Business Insider UK  &  Independent UK

Read More

Details of 33 million Twitter accounts hacked and posted online

Twitter security officials said they are 'confident the information was not obtained from a hack of Twitter’s servers'

Security experts said the most common password affected by the breach was '123456'

---

Twitter has been forced to lock around 33 million accounts after their security details were posted online for sale.

The accounts were breached by Russian hackers and posted on to ‘the dark web ’ – a web service that requires specific advanced software to access.

The hack was made public by security firm LeakedSource.

According to Michael Coates, Twitter’s trust and information security officer, the social networking site is “confident the information was not obtained from a hack of Twitter’s servers.”

Rather, the usernames and passwords were stolen from email accounts and other social networking sites, such as LinkedIn and MySpace.

“Regardless of origin, we’re acting swiftly to protect your Twitter account,” Mr Coates said.

Twitter quickly responded to the breach by cross-checking the details of 32,888,300 records with its user database. It immediately locked any Twitter accounts it believed were vulnerable.

The social networking service guaranteed: “If your Twitter information was impacted by any of the recent issues – because of password disclosures from other companies or the leak on the ‘dark web’– then you have already received an email that your account password must be reset.”

“Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.”

LeakedSource explained the breach was caused by computers infected with malware that “sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter”.

The security website observed the most common password affected by the breach was ‘123456’, followed by ‘123456789’ – ‘qwerty’ and ‘password’ were third and fourth respectively.

It also showed that Russian cyber-surfers were the worst affected.

Speaking to Ars Technica, security researcher Troy Hunt said: “I'm highly sceptical that there's a trove of 32 million accounts with legitimate credentials for Twitter.

“The likelihood of that many records being obtained independently of a data breach and them being usable against active Twitter accounts is extremely low.”

Just this week, Facebook founder Mark Zuckerberg had his Twitter and Pinterest accounts hacked after hackers used a password obtained from a LinkedIn breach in 2012.

Twitter warned that to prevent your account from being hacked, users should “use a strong password that you don’t reuse on other websites.”

Source: Independent UK

Read More

Why is everyone covering up their laptop cameras?

Stickers and slides serve to ease concerns that spooks could be watching our every move, as even the FBI director says he puts tape on his camera

The crowdfunded product Eyebloc failed to reach its $5,000 funding target despite appealing to a legitimate concern about surveillance. Maybe duct tape is quite good enough?

---

For the past half decade, the technology industry has been racing to build better cameras into the hardware we use every day.

Yet the surveillance age has inspired an odd cottage industry battling against this trend: a glut of cheap stickers and branded plastic slides designed to cover up the front-facing cameras on phones, laptops and even televisions.

For years, security researchers have shown that hackers can hijack the cameras to spy on whomever is on the other end. To put that in perspective, think of all the things your devices have seen you do.

Such warnings have finally caught on. Last month, the FBI director, James Comey, told an audience: “I put a piece of tape over the camera because I saw somebody smarter than I am had a piece of tape over their camera.”

The corporate swag company Idea Stage Promotions describes its Webcam Cover 1.0 as “the HOTTEST PROMOTIONAL ITEM on the market today”. The cable channel USA Networks sent journalists a “Mr Robot” webcam cover for the popular hacker thriller’s upcoming season.

This Mr. Robot webcam cover I got from @USA_Network is the most clever TV promo item I have received in a long time! pic.twitter.com/pBL3mcUsv9

— Christine Champagne (@itsthechampagne) May 3, 2016

Covering cameras isn’t new for those who know that the internet is always watching. Eva Galperin, a policy analyst for the Electronic Frontier Foundation, says that since she bought her first laptop with a built-in camera on the screen, a MacBook Pro, in 2007, she’s been covering them up.

EFF started printing its own webcam stickers in 2013, as well as selling and handing out camera stickers that read: “These removable stickers are an unhackable anti-surveillance technology.”

“People purchase these regularly,” a spokesman said.

The fear over web cameras has penetrated deep into popular culture. The trailer for Oliver Stone’s forthcoming biopic Snowden, on the US spy contractor, features a clip of actor Joseph Gordon-Levitt, who plays the title character, looking nervously|(see video below) at his laptop camera during an intimate moment with his girlfriend.

So are we all being paranoid? Well, it’s not science fiction. Researchers in 2013 showed how they could activate a Macbook’s camera without triggering the green “this-thing-is-on” light. One couple claimed a hacker posted a video of them having sex after hacking their smart TV. And federal court records shows that the FBI does know how to use laptop cameras to spy on users as well.

So, naturally, where there’s fear, there is money to be made.

The DC-based CamPatch describes itself as “the Mercedes Bens [sic] of putting tape over your webcam”. Its founders started the company in 2013 after hearing a briefing from Pentagon cybersecurity experts on how webcams were a new “attack vector”, said Krystie Caraballo, CamPatch’s general manager.

Caraballo wouldn’t disclose financials other than to say the company has had “six-figure revenues for the last several years” and that it has distributed more than 250,000 patches. The company advertises bulk pricing “as low as $2.79”.

Yet not everyone is on the camera-covering bandwagon. Brian Pascal, a privacy expert who has worked for Stanford and Palantir Technologies says a cost-benefit analysis led him conclude he’d rather have a usable camera, which he can use to record his son. But he acknowledged such stickers are a way for people signal that they too worry about Big Brother.

“Security actions without threat modelling are just performative,” said Pascal.

Others just haven’t gotten around to it yet.

“Because I’m an idiot,” replied Matthew Green, an encryption expert at Johns Hopkins University when asked why he doesn’t cover his cameras. “I have no excuse for not taking this seriously ... but at the end of the day, I figure that seeing me naked would be punishment enough.”

Of course, webcam paranoia is likely to be only the first of many awakenings as consumers bring more devices into their lives that can be turned into unwitting spies. Amazon.com has had enormous success with its Echo smart speaker that, by default, is always listening for its owners’ commands. Google plans to release a similar product this year called Google Home.

In a hearing on Capitol Hill in February, the US director of national intelligence, James Clapper, acknowledged how the so-called “internet of things” could be used “for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials”.

Source: The Guardian UK

Read More

WhatsApp VIRUS warning: Hundreds sent Dance of the Pope video hoax

HUNDREDS of WhatsApp users have received a warning over a purported smartphone-deleting VIRUS, entitled The Dance of the Pope.

The message – which has spread across the popular messaging application – warns users NOT to accept a video called “The Dance of the Pope”.

It claims the papal-themed video is in reality a “dangerous” mobile virus “that formats your mobile phone”.

"Beware, it is very dangerous," the chain mail message cautions. "It was announced on the radio in the United States."

However, a number of security blogs have dismissed the WhatsApp video as a simple hoax.

The WhatsApp warning has been branded a chain letter – a hoax which encourages readers to share the message with their contacts.

The “Dance of the Pope” video threat is similar to another hoax which spread across WhatsApp over the summer.

Warnings over an imminent terrorist attack on the London Underground were circulated on the messaging platform and other popular social media websites.

Just a precaution been going around what's app and #Facebook #London #terrorist pic.twitter.com/VE6P8B4dmn

— Kyri Androu (@electricus_ltd) August 31, 2014

Typically, the hoax messages would begin with an explanation about the origin of the tip-off – usually a friend who worked for the Met Police or Transport for London.

"They think there's a terror threat and that it will happen on the tubes tomorrow around the west end area,” the message would warn.

It would then claim that "every single police officer in the Met has been called into work from 4am onwards".

A Metropolitan police spokesman later confirmed the messages were a "definite hoax"

"These rumours are not uncommon," he added.

"The only thing that gives them any credence is people re-tweeting them and circulating them."

A member of the Support Team at WhatsApp told Express.co.uk: "That message is a hoax and did not come from WhatsApp.

"Please disregard the message and do not resend it.

"We do not use WhatsApp to mass message our user base, nor would we ever send you a message advertising gifts or asking you to forward a message to your contacts."

Source:  Express UK

Read More

Text scams: The messages that allow criminals to break into your iPhone, and how to spot them

Mobile phones are increasingly becoming the most important part of people’s work and social lives – which means they’re more and more vulnerable to attack

A man uses an iPhone 5C at the Berlin Apple Store

---

The next text message you receive could ruin your life.

Increasingly, SMS messages are being used as a way of duping people into giving up their online accounts, and out of their identities and their money.

Many of those messages arrive looking perfectly innocent, and even useful. But they could be incredibly dangerous – and so it’s important to make sure to know how to spot them.

One of the major problems with such scams is that it is now relatively easy to pretend to be someone else, over text. The technology that powers texts allows people to put custom names in when they send messages – allowing people to easily pretend to be Google, Apple or anybody else.

As such, the main thing is to never give any information over text message, and only use it as a way of showing alerts. You never know who is texting you, or who you are texting – so treat it with extreme caution.

iCloud scams

One of the more recent scourges coming over SMS are iCloud scams. They aim to trick people into giving up the password that they use to get into their Apple account – and, once hackers are into that, then they can easily get your bank account details, your location, and more scary stuff besides.

Most of these notifications just work like traditional phishing scams, where cyber criminals pretend to be a company so that users send them details. But because they are done through the very personal but notoriously sketchy technology of SMS, they can be easy to spot.

It isn’t clear why there has been such a huge amount of these in recent months, but reports of them definitely do seem to be surging. The advice is the same as traditional phishing: responsible companies will never ask you to reply to a message with your personal details, or tell you to click on a dodgy link, so make sure that you always only give your information to official websites and be careful that you are.

Two-factor authentication

Another more new development is tricks that try and get around the two-factor authentication that many products now have built in – and which, for the most part, serves as a big problem for people breaking into your account. That's why it's also become such a security risk.

Two-factor authentication works by attaching a phone number to a person’s account. When they try to log-in, it will send a unique code to that phone number, and that has to be typed into the site. It’s built to foil people who steal passwords and then use them to get into accounts, because it requires physical access to the phone; and that’s why people are now trying to get around it with scams.

One highlighted this weekend shows a message that claims to be from Google and tells people that their account may have been hacked. If they want to have it shut down, it says, they need to reply to the message with the 6-digit verification code that they are about to receive.

Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC

— Alex MacCaw (@maccaw) June 4, 2016

It’s a sneaky way of getting people to put the authentication message that they have received from Google into a text message so that scammers can get around the security setup. But it’s a curiously convincing one.

Again, the key is never to enter any important codes into a text message or any unverified sites. And sites such as Google and others that use two-factor authentication will only ever send you the messages if you ask for them; if you’re receiving them without asking, it probably means someone is trying to break into your account.

Source: Independent UK

Read More

More than 65m Tumblr emails for sale on the darknet

Company only now discloses scale of hack three years ago – shortly before purchase by Yahoo – as database of passwords is leaked

Yahoo acquired Tumblr in May 2013. The security breach took place earlier that year

---

Personal information from more than 65m Tumblr accounts has been discovered for sale on the darknet.

Tumblr disclosed the leak, which it says took place in early 2013, this month, but had not previously acknowledged the scale of the database that was compromised.

The database includes email addresses and passwords, but the latter are heavily protected: Tumblr salted and hashed the passwords, a procedure which renders it practically impossible to restore the passwords to a useable state. It has since turned up for sale on darknet marketplace The Real Deal, with a sale price of just $150, according to Motherboard’s Lorenzo Franceschi-Bicchierai.

“As soon as we became aware of this, our security team thoroughly investigated the matter,” the company said in a statement on 12 May. “Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.”

Troy Hunt, a security researcher who runs the Have I Been Pwned site, which records database leaks and notifies the victims, writes that the leak is good example of a new type of breach: “historical mega breaches”.

Hunt has recorded 269m individual compromised accounts in the past week, and notes that a MySpace database ostensibly containing 360m records is also for sale online, but none of the sites involved was breached more recently than three years ago. “This data has been lying dormant – or at least out of public sight– for long periods of time,” Hunt says.

Users who fear that their credentials were involved in the Tumblr hack can find out at Hunt’s site. Tumblr recommends that affected users change their password, and those in the database should also be on particular lookout for phishing attacks over the coming weeks and months.

Source: The Guardian UK

Read More

WhatsApp Update Available with Fingerprint Protection

WhatsApp is currently benefiting from end-to-end protection and 1 billion users feel now safer. But a native password protection mechanism is missing and WhatsApp won’t introduce it in the near future, so users will continue to rely on third-party applications or on Android’s support for fingerprint readers.

It’s not the best idea to install third party applications to password-protect chats in WhatsApp, because there are many unofficial applications that shouldn’t be trusted and they can be easily hijacked by hackers. WhatsApp is targeted by many cybercriminals and they’re trying all kinds of methods to trick users into clicking on links with fake promotions, so why wouldn’t they create applications that instead of protecting users’ passwords, they hijack them and important information is easily leaked.

In the past months, mobile device manufacturers have released various smartphones with fingerprint scanners, but WhatsApp hasn’t said a word yet about adding fingerprint protection. And the reason behind developers’ disinterest in adding fingerprint protection is because there are not many Android users requesting this feature.

The good news is that Android Marshmallow brought fingerprint authentication, which can be used not only to unlock devices, but applications as well. And, for now, the latest Android software is now install on 7.5 percent of all Android devices, and WhatsApp’s developers will bring a locker app when the percentage of Marshmallow users will increase.

Anyway, Android users who want to install the latest beta update of WhatsApp can go to the Google Play store and download version 2.16.102, which weighs 28.31 MB. This update comes only with improvements to the app stability and other bug fixes. The most important new features that have been released lately are: the option to reply to new messages from notifications, the option to send a formatted text (bold, italic, strikethrough), the option to pick a photo/video from the camera roll, by tapping the quick camera button in a chat etc.

Read More

Google's upcoming Allo messaging app is 'dangerous', Edward Snowden claims

Snowden said Google's decision to disable end-to-end encryption by default makes it 'unsafe'

The new chat app will be released this summer

---

Using Google’s upcoming messaging app is “dangerous”, according to Edward Snowden.

In a tweet, the whistleblower advised against using Allo, the search giant’s latest app, saying: "Google's decision to disable end-to-end encryption by default in its new Allo chat app is dangerous, and m it for now."

His warning came after Google’s security expert Thai Duong blogged about the app’s security features.

Allo, branded as a “smart messaging app”, offers extra features when compared to other services like WhatsApp and Facebook Messenger.

Its 'smart reply' feature scans messages and suggests replies, and integrates Google’s other services like Google Search and Maps, all in a single app.

Allo also offers two privacy settings: normal and incognito.

Although messages are encrypted in both modes, the normal setting allows artificial intelligence run by Google to read messages, analyse them and provide suggestions. Only the incognito mode uses end-to-end encryption, which ensures that the messages can only be read by the people on either end of the conversation.

However, the default setting is normal, and to have further encryption a user has to manually change the privacy settings to incognito.

Thai Duong, a security expert at Google, blogged about his “personal opinion” of the new application “as someone from outside the team who consulted on security for Allo.” He edited the post after it was uploaded.

Google's decision to disable end-to-end encryption by default in its new #Allo chat app is dangerous, and makes it unsafe. Avoid it for now.

— Edward Snowden (@Snowden) May 19, 2016

#Google's security expert blogged, discussing how #Allo is unsafe by default.
Hours later, he erased that part.

Lesson: Bosses read blogs

— Edward Snowden (@Snowden) May 20, 2016

Duong wrote in an update: “I erased a paragraph from this post because it's not cool to publicly discuss or to speculate the intent or future plans for the features of my employer's products, even if it's just my personal opinion.”

This statement does not clarify what has been deleted from the blogpost.

However, Snowden explained in his tweet that the security expert was “discussing how #Allo is unsafe by default," and commented: "[The] lesson - bosses read blogs."

TechCrunch reported the deleted part of Duong’s post read: “The burning question now is: if incognito mode with end-to-end encryption and disappearing messages is so useful, why isn’t it the default in Allo?”

It is not clear whether Google told Duong to delete the paragraph from his blogpost or not.

Source: Independent UK

Read More

New Report Claims Public Charging Stations Might Not Be So Safe

If your phone runs out of juice while you're out-and-about it might be much safer (but a whole lot more frustrating, obviously) to wait until you can use your own charger to beef up your battery.

According to research from Kaspersky Lab, all kinds of information can be transferred from your phone when you charge it up. Such as the name of your device, the model, serial number and electronic chip ID. (But it'll all depend largely on the manufacturer and model of phone that you have.)

Sure the serial number of your phone getting into the wrong hands may not sound too important, but Kapersky Lab claims that those details might be all that some hackers need to break into your phone and get access to stuff that is really important.

If the public charging station hooks up directly to a power supply that's okay. But often there's no way of telling if there's hardware installed at the other end. And if there is hardware at the other end, the research team has proved that you can install a "root application" on a dummy smartphone, which then compromised the device.

So what do you do if you're on-the-move and really need to charge up your device? Well, if you're using iOS and the 'Trust this computer?' warning pops up, hit 'Don't trust' to just charge and not share anything. And don't unlock your phone when it's charging. Most Android devices have similar settings, so if you plug your phone in and you're asked what to share, always opt for 'Charging Only'.

Source: Express UK

Read More

Charging your mobile phone by plugging it into a computer could be enough to get you HACKED

If you thought plugging your phone into a computer to charge it up was fairly safe, you thought wrong

When your phone starts complaining that its battery is running low, you probably wouldn't think twice about plugging it into a computer to charge it up.

But security experts claim that this simple act could be enough to get you hacked.

According to researchers at Kaspersky Lab, plugging your iPhone or Android smartphone into a computer results in a whole load of data being exchanged between the two devices.

This could include the phone's name, the manufacturer, the device type, the serial number, firmware information, the operating system information, the file system and the electronic chip ID.

The amount of data sent varies depending on the device and the host, but each smartphone transfers the same basic set of information - like device name, manufacturer and serial number.

While this information may seem fairly innocuous, it is enough for a hacker to break into a smartphone and take control, according to Kaspersky.

Using a regular PC and a standard micro USB cable, the researchers were able to silently install a "root application" on a test smartphone, amounting to a total compromise of the device.

This is not the first time theft of data from a mobile connected to a computer has been observed.

This technique was used in 2013 as part of the cyberespionage campaign Red October . The Hacking Team group also made use of a computer connection to load a mobile device with malware.

In both of these cases, the hackers found a way to exploit the supposedly safe data exchange between the smartphone and the PC it was connected to.

By checking the identification data received from the connected device, the hackers were able to discover what device model the victim was using and then use this information to tailor their attack.

This would not have been as easy to achieve if smartphones did not automatically exchange data with a PC upon connecting to the USB port.

"The security risks here are obvious: if you’re a regular user you can be tracked through your device IDs; your phone could be silently packed with anything from adware to ransomware," warns Alexey Komarov, researcher at Kaspersky Lab.

"And you don't even have to be highly-skilled in order to perform such attacks, all the information you need can easily be found on the Internet."

It you're worried about getting hacked in this way, Kaspersky Lab says there are several ways to protect yourself:

• Use only trusted USB charging points and computers to charge your device
• Protect your mobile phone with a password, or with another method such as fingerprint recognition, and don’t unlock it while charging
• Use encryption technologies and secure containers (protected areas on mobile devices used to isolate sensitive information) to protect the data
• Install some kind of antivirus software that is capable of detecting malware even if a "charging" vulnerability is used

Read More