Slashdot Mirror

Bismillah writes: Researchers have published the results of exploring how vulnerable Thunderbolt is to DMA attacks, and the answer is "very." Be careful what you plug into that USB-C port. Yes, the set of vulnerabilities has a name: "Thunderclap." "Thunderbolt, which is available through USB-C ports on modern laptops, provides low-level direct memory access (DMA) at much higher privilege levels than regular universal serial bus peripherals," reports ITNews, citing a paper published from a team of researchers from the University of Cambridge, Rice University and SRI International. "This opens up laptops, desktops and servers with Thunderbolt input/output ports and PCI-Express connectors to attacks using malicious DMA-enabled peripherals. The main defense against the above attacks is the input-output memory management unit (IOMMU) that allows devices to access only the memory needed for the job to be done. Enabling the IOMMU to protect against DMA attacks comes at a high performance cost however. Most operating systems trade off security for performance gains, and disable the IOMMU by default."

"Apple's macOS uses the IOMMU, but even with the hardware defense enabled, the researchers were able to use a fake network card to read data traffic that is meant to be confined to the machine and never leave it," the report adds. "The network card was also able to run arbitrary programs at system administrator level on macOS and could read display contents from other Macs and keystrokes from a USB keyboard. Apple patched the vulnerability in macOS 10.12.4 that was released in 2016, but the researchers say the more general scope of such attacks remains relevant."

An anonymous reader shares a report: Email provider FastMail says it has lost customers and faces "regular" requests to shift its operations outside Australia following the passage of anti-encryption laws. The Victorian company, which offers ad-free email services to users in 150 countries, told a senate committee that the now-passed laws were starting to bite.

"The way in which [the laws] were introduced, debated, and ultimately passed ... creates a perception that Australia has changed - that we are no longer a country which respects the right to privacy," FastMail CEO Bron Gondwana said. "We have already seen an impact on our business caused by this perception. Our particular service is not materially affected as we already respond to warrants under the Telecommunications Act." "Still, we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice. We are [also] regularly being asked by customers if we plan to move."

A Dutch security researcher says he found credentials for the Russian government's backdoor account for accessing servers of businesses operating in Russia, ZDNet reports: The researcher says that after his initial finding, he later found the same "admin@kremlin.ru" account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia. Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.... "The first time I saw these credentials was in the user table of a Russian Lotto website," Victor Gevers told ZDNet in an interview Monday. "I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions....

"All the systems this password was on were already fully accessible to anyone," Gevers said. "The MongoDB databases were deployed with default settings. So anyone without authentication had CRUD [Create, Read, Update and Delete] access."
"It took a lot of time and also many attempts to contact and warn the Kremlin about this issue," the researcher added -- specifically, three years, five months and 15 days. The Kremlin reused the same credentials "everywhere," reports IT News, "leaving a large number of businesses open to access from the internet."

Long-time Slashdot reader Bismillah calls it "an illustration of the dangers of giving governments backdoors into systems and networks."

Bismillah writes: China Telecom is up to no good with Border Gateway Protocol (BGP) shenanigans researchers have discovered. The state-owned telco is hijacking and rerouting internet traffic to China via it's U.S. and Canadian points of presence (PoPs). As for how the researchers came to their conclusion, they reportedly "built a route tracing system that monitors BGP announcements and which picks up on patterns suggesting accidental or deliberate hijacks and discovered multiple attacks by China Telecom over the past few years," reports iTNews.

In one example occurring in 2016, "China Telecom diverted traffic between Canada and Korean government networks to its PoP in Toronto," the report says. "From there, traffic was forwarded to the China Telecom PoP on the U.S. West Coast and sent to China, and finally delivered to Korea. Normally, the traffic would take a shorter route, going between Canada, the U.S. and directly to Korea." The telecommunications company is able to reroute the traffic by announcing fake routes via the BGP, which "governs data flow between Autonomous Systems, the large networks operated by telcos, internet providers and corporations."

The Five Eyes, the intelligence alliance between the U.S., U.K., Canada, Australia, and New Zealand, issued a statement warning they believe "privacy is not absolute" and tech companies must give law enforcement access to encrypted data or face "technological, enforcement, legislative or other measures to achieve lawful access solutions." Slashdot reader Bismillah shares a report: The governments of Australia, United States, United Kingdom, Canada and New Zealand have made the strongest statement yet that they intend to force technology providers to provide lawful access to users' encrypted communications. At the Five Country Ministerial meeting on the Gold Coast last week, security and immigration ministers put forward a range of proposals to combat terrorism and crime, with a particular emphasis on the internet. As part of that, the countries that share intelligence with each other under the Five-Eyes umbrella agreement, intend to "encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services." Such solutions will apply to products and services operated in the Five-Eyes countries which could legislate to compel their implementation. "Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions," the Five-Eyes joint statement on encryption said.

Google will restrict advertisements placed by third-party technical support providers, in an effort to stem a rising tide of abuse and fraud by scammers who offer to fix non-existent problems on consumers' computers. Report says: The restriction for tech support ads comes after Google collaborated with law enforcement and government agencies to address abuse in the area, the company's director of public policy David Graff wrote. All ads for technical support will be restricted worldwide, even for legitimate providers, Graff said. Google's banned such ads because the company finds it increasingly difficult to tell scammers from legitimate providers, as the fraudulent activity happens away from the company's platform.

Slashdot reader Bismillah was the first to notice stories about Chromebooks going offline. GeekWire reports: Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly botched WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving students disconnected.
Google eventually issued a new network policy without the glitch -- but not everyone was satisfied. The Director of Technology at one school district complains Google waited three and a half hours before publicly acknowledging the problem -- adding that "manually joining a WiFi network on 10,000+ Chromebooks is a nightmare."

An anonymous reader quotes IT News: Fashion retailer The Iconic is no longer running quality assurance as a separate function within its software development process, having shifted QA responsibilities directly onto developers... "We decided: we've got all these [developers] who are [coding] every day, and they're testing their own work -- we don't need a second layer of advice on it," head of development Oliver Brennan told the New Relic FutureStack conference in Sydney last week. "It just makes people lazy..."

Such a move has the obvious potential to create problems should a developer drop the ball; to make sure the impact of any unforeseen issues is minimised for customers, The Iconic introduced feature toggles -- allowing developers to turn off troublesome functionality without having to deploy new code. Every new feature that goes into production must now sit behind one of these toggles, which dictates whether a user is served the new or old version of the feature in question. The error rates between the new and old versions are then monitored for any discrepancies... While Brennan is no fan of "people breaking things", he argues moving fast is more beneficial for customers.
"If our site is down now, people will generally come back later," Brennan adds, and the company has now moved all of its QA workers into engineering roles.

"The transition to internet protocol version 6 has opened up a whole new range of threat vectors that allow attackers to set up undetectable communications channels across networks, researchers have found." Slashdot reader Bismillah summarizes a report from IT News. Researchers at NATO's Cooperative Cyber Defence Centre of Excellence and Estonia's University of Tallinn have worked out how to set up communications channels using IPv6 transition mechanisms, to exfiltrate data and for systems control over IPv4-only and dual-stack networks -- without being spotted by network intrusion detection systems.
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."

Three researchers "decided to scan the entire IPv4 address range every 15 minutes between 2006-2012 to work out what insights they could gain from humanity's mass connection to the internet," reports ITnews. The study...analysed data from 411 large regions from middle to high-income countries and found a positive correlation between GDP per capita and the number of IP addresses per head. A 10% increase in IP addresses per capita was associated with an 0.8% hike in GDP, the analysis found. The researchers cautioned that the output and productivity growth they noted when the number of IP address increased was correlation rather than causation. Service-oriented sectors -- such as publishing, news, film production, administrative support, and education -- appear to have suffered a negative effect from increasing internet penetration [PDF]. The researchers believe these sectors were susceptible to competition from cheaper outsourcing providers.
Slashdot Bismillah pointed out that the researchers also measured sleeping patterns over seven years, assuming IP addresses of internet-connected devices generally correlated to people who were awake. According to the article, "They found that sleep patterns may be changing and converging around the world: Europeans slept less, East Asians more, while Americans' sleeping patterns remained static over the seven-year period."

An anonymous reader writes: Microsoft will continue to support and provide security patches for its Enhanced Mitigation Experience Toolkit security software for Windows until July 31 2018, after taking customer feedback into account. EMET is a security utility software popular with enterprise customers running supported versions of Windows. It uses mitigation techniques to block attackers from exploiting vulnerabilities in software. The company's lead program manager for operating system security, Jeffrey Sutherland, said while EMET 5.5x will continue to be supported for another 18 months after the original end of life date of January next year, Microsoft recommended customers migrate to Windows 10 for improved security.

Slashdot reader Noryungi writes: Qubes OS certainly has an intriguing approach to security, but a newly discovered Xen vulnerability allows a hacker to escape a VM and own the host. If you are running Qubes, make sure you update the dom0 operating system to the latest version.
"A malicious, paravirtualized guest administrator can raise their system privileges to that of the host on unpatched installations," according to an article in IT News, which quotes Xen as saying "The bits considered safe were too broad, and not actually safe." IT News is also reporting that Qubes will move to full hardware memory virtualization in its next 4.0 release. Xen's hypervisor "is used by cloud giants Amazon Web Services, IBM and Rackspace," according to the article, which quotes a Qubes security researcher who asks the age-old question. "Has Xen been written by competent developers? How many more bugs of this caliber are we going to witness in the future?"

Bismillah writes: Westfield's Scentre Group has removed SMS notifications for its ticketless parking system after it was discovered they could be used to track other people's cars unnoticed. The system allows you to enter any licence plate, which in turn will be scanned upon entry and exit at mall parking facilities — and when the free parking time is up, a notification message is sent to the mobile phone number entered, with the exact location of the car.

Bismillah writes: The recent 13-microsecond timing anomaly was caused by a satellite failure triggering a "software issue", the USAF 50th Space Wing has confirmed. Such an error is large enough to cause navigation errors of up to 4 km. Luckily, no issues with GPS guided munition were reported. Reader donaggie03 adds a link to the official explanation from Rick Hamilton, Executive Secretariat of the Civil Global Positioning System Service Interface Committee. From Hamilton's email: Further investigation revealed an issue in the Global Positioning System ground software which only affected the time on legacy L-band signals. This change occurred when the oldest vehicle, SVN 23, was removed from the constellation. While the core navigation systems were working normally, the coordinated universal time timing signal was off by 13 microseconds which exceeded the design specifications. The issue was resolved at 6:10 a.m. MST, however global users may have experienced GPS timing issues for several hours.

An anonymous reader writes: Apple and Google have been vocal in their opposition to any kind of government regulation of cell phone encryption. BlackBerry, however, is taking a different stance, saying it specifically supports "lawful interception capabilities" for government surveillance. BlackBerry COO Marty Beard as much at a recent IT summit. He declined to explain how the interception works, but he denied the phones would contain "backdoors" and said governments would have no direct access to BlackBerry servers. The company may see this as a way to differentiate themselves from the competition.

Bismillah writes: A British infosec company has discovered that cheap thermal imaging attachments for smartphones can be used to work out which keys users press on -- for instance -- ATM PIN pads. The thermal imprint last for a minute or longer. That's especially worrying if your PIN takes the form of letters, as do many users' phone-unlock patterns.

Bismillah writes: Samsung Electronics has proposed a network consisting of 4,600 micro-satellites that could act as backhaul for terrestrial cellular networks and take low-cost internet access worldwide. They project that by 2028, cellular and Wi-Fi traffic will exceed 1 zettabyte/month, and their goal is to design a system with equivalent capacity (PDF). "With the satellite-based backhaul, cellular and wi-fi deployments become practical in remote regions of the earth where there is no wired Internet infrastructure." The plan would require significant amounts of wireless spectrum, as well as satellites capable of 1 Tb/s or higher.

Bismillah writes: US supercomputer vendor Cray has scored the contract to build the Australian Bureau of Meteorology's new system, said to be capable of 1.6 petaFLOPS and with an upgrade option in three years' time to hit 5 petaFLOPS. From the iTnews story: "The increase in capacity will allow the BoM to deal with growth in the 1TB of data it collects every day, which it expects to increase by 30 percent every 18 months to two years. It will also allow the agency to collect new areas of information it previously lacked the capacity for. 'The new observation platforms that are coming online are bringing quite a lot more data,' supercomputer program director Tim Pugh told iTnews.

Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.

Bismillah writes: Although they've denied it in the past, Australia's federal and state police are very interested in Hacking Team's law enforcement spyware. There has also been recent interest from the Victoria state anti-corruption agency IBAC, leaked HT emails show. ITNews reports: "Emails leaked by attackers who infiltrated the systems of spyware provider Hacking Team this week reveal the Australian Federal Police was not the only local agency interested in the firm's suite of surveillance tools. Analysis of the leaked emails by iTnews reveals a number of agencies - including ASIO, IBAC and two local police forces - were also interested in the company's spyware."

Bismillah writes: Security researchers are confused as to how the export control and licensing controls covering exploits affect their work. The upcoming Wassenaar restrictions were expected to discourage publication of such research, and now it's already started to happen. Grant Wilcox, writing his dissertation for the University of Northumbria at Newcastle, was forced to take a better-safe-than-sorry approach when it came time to release the vulnerabilities he found in Microsoft's EMET 5.1. "No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement. ... Wilcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part. He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other."

AlbanX writes: Australian telco Optus has been nabbed passing its customers' mobile phone numbers to third-party websites without the customers' knowledge or consent. The practice, known as HTTP header enrichment, aims to streamline the process of direct billing for customers, but they're not happy. The discovery was made by a user on the telco forum Whirlpool, and Optus confirmed it. They said, "Optus adds our customers' mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites."

Bismillah writes: As per orders from Tony Scott, the government CIO, all federal agencies with publicly accessible websites must provide service only through a secure HTTPS connection. "Federal websites that do not convert to HTTPS will not keep pace with privacy and security practices used by commercial organizations, and with current and upcoming Internet standards," according to his memo. "This leaves Americans vulnerable to known threats, and may reduce their confidence in their government."

Bismillah writes that a new vulnerability in recent Macs — and potentially older ones — can be used to plant code such as rootkits into areas of EFI memory that shouldn't be writeable, but become unlocked after the computer wakes up from sleep mode. The article explains that [The vulnerability] appears to be due to a bug in Apple's sleep-mode energy conservation implementation that can leave areas of memory in the extensible firmware interface (EFI) (which provides low-level hardware control and access) writeable from user accounts on the computer. Memory areas are normally locked as read-only to protect them. However, putting some late-model Macs to sleep for around 20 seconds and then waking them up unlocks the EFI memory for writing.

Bismillah writes: Ross Anderson and Laurent Simon of Cambridge University studied a range of Android devices and found that even though a "factory reset" is supposed to fully wipe storage, it often doesn't. Interestingly enough, full-device encryption could be compromised by the incomplete wiping too. ITnews reports: "The researchers estimated that 500 million Android devices may not fully wipe device disk partitions. As many as 630 million phones may not wipe internal SD cards. Five 'critical failures' were outlined in the researchers' Security Analysis of Android Factory Resets paper.

Bismillah writes: China's allegedly largest security vendor Qihoo 360 has fessed up to supplying custom versions of its AV for testing according to an investigation by Virus Bulletin, AV-Comparatives and AV-Test. "On requesting an explanation from Qihoo 360 for their actions (PDF), the firm confirmed that some settings had been adjusted for testing, including enabling detection of types of files such as keygens and cracked software, and directing cloud lookups to servers located closer to the test labs. After several requests for specific information on the use of thirdparty engines, it was eventually confirmed that the engine configuration submitted for testing differed from that available by default to users."

New submitter purnima writes: Australia keeps on giving and giving. Each year school kids in Australia sit The National Assessment Program (NAPLAN) which in part tests literacy. The exam includes a written page-long essay aimed at examining both language aptitude and literacy of students. Of course, human-marking of such essays is costly (twenty teacher-minutes per exam). So some bright spark has proposed that the essays be marked by computer. The government is convinced and the program is slated for the 2017 school year. Aside from the moral issues, is AI ready for this major task?

An anonymous reader writes: Bruce Upbin at Forbes reports on a new and insidious way for a malicious website to spy on a computer. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack. The exploit, which the researchers are calling "the spy in the sandbox," is a form of side-channel attack. Side channel attacks were previously used to break into cars, steal encryption keys and ride the subway for free, but this is the first time they're targeted at innocent web users. The attack requires little in the way of cost or time on the part of the attacker; there's nothing to install and no need to break into hardened systems. All a hacker has to do is lure a victim to an untrusted web page with content controlled by the attacker.

Bismillah writes: The Open Source Geospatial Foundation is outraged over mapping giant ESRI's latest move which entails vendor lock-in for light detection and ranging (LiDAR) data through its proprietary Optimised LAS format. ESRI is the dominant company in the geospatial data arena, with its ArcGIS mapping platform boasting with over a million users and 350,000 customers.

Bismillah writes Opposition from the Green Party and independent members of parliament wasn't enough to stop the ruling conservative Liberal-National coalition from passing Australia's new law that will force telcos and ISPs to store customer metadata for at least two years. Journalists' metadata is not exempted from the retention law, but requires a warrant to access. The metadata of everyone else can be accessed by unspecified government agencies without a warrant however.

Bismillah writes Cisco has confirmed that its SPA300 and SPA500 are vulnerable to remote eavesdropping and dialing, and is working on a patch. Meanwhile, the advice is not to have the phones on internet-facing connections. From the article: "Cisco has confirmed the issue reported by Watts, which is a result of wrong authentication settings in the default configuration of firmware version 7.5.5. An attacker can send a specially crafted Extended Markup Language (XML) request to devices which will allow them to both make phone calls remotely, and listen in on audio streams. Successful exploits could be used to conduct further attacks, Cisco warned. Despite the confirmed vulnerability, Cisco said the flaw was unlikely to be used and gave it a low 'harassment' severity rating."

Bismillah (993337) writes "Lawyers for the GCHQ have told the Investigatory Powers Tribunal in the UK that the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally. GCHQ is currently being taken to court by Privacy International and five ISPs from UK, Germany, the Netherlands, Zimbabwe and South Korea for CNE operations that the agency will not confirm nor deny as per praxis."

Bismillah writes: The conservative Coalition government in Australia is on the verge of introducing legislation requiring ISPs to block sites alleged of copyright infringement. Details of the bill have not yet been published, but it is expected to be sent to Parliament this week.

AlbanX writes The Australian Government has introduced a bill that would require telecommunications carriers and service providers to retain the non-content data of Australian citizens for two years so it can be accessed — without a warrant — by local law enforcement agencies. Despite tabling the draft legislation into parliament, the bill doesn't actually specify the types of data the Government wants retained. The proposal has received a huge amount of criticism from the telco industry, other members of parliament and privacy groups. (The Sydney Morning Herald has some audio of discussion about the law.)

Bismillah writes: Sydney will get two new AWS data centers in the western and south-western parts of the city. AWS apparently decided to build the new DCs after it struggled to find enough Tier III space for rapid expansion in the region.

AlbanX sends word that security researchers from Google have published details on a vulnerability in SSL 3.0 that can allow an attacker to calculate the plaintext of encrypted communications. Google's Bodo Moller writes, SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue. Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response (PDF) is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Bismillah writes Google security researcher Michael 'lcamtuf' Zalewski says he's discovered a new remote code execution vulnerability in the Bash parser (CVE-2014-6278) that is essentially equivalent to the original Shellshock bug, and trival to exploit. "The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said. "The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."

Bismillah writes AWS is currently emailing EC2 customers that it will need to reboot their instances for maintenance over the next few days. The email doesn't explain why the reboots are being done, but it is most likely to patch for the embargoed XSA-108 bug in Xen. ZDNet takes this as a spur to remind everyone that the cloud is not magical. Also at The Register.

Bismillah writes Wikileaks' latest release of documents shows that the Australian New South Wales police force has spent millions on licenses for the FinFisher set of law enforcement spy- and malware tools — and still has active licenses. What it uses FinFisher, which has been deployed against dissidents by oppressive regimes, for is yet to be revealed. NSW Police spokesperson John Thompson said it would not be appropriate to comment "given this technology relates to operational capability".

Bismillah (993337) writes "While you're in coverage during take-off and landing, at least. Passengers flying with Qantas and Virgin Australia might be able to leave their devices on from as early as September this year after the Civil Aviation Authority decided it was no longer unsafe to do so."

Bismillah (993337) writes Yahoo is working on an easy to use PGP interface for webmail, the company's chief information security officer Alex Stamos said at Black Hat 2014. This could lead to some interesting standoffs with governments and law enforcement wanting to read people's messages. From the article: "'We are working to design a key server architecture that allows for automatic discovery of public keys within Yahoo.com and other participating mail providers and to integrate encryption into the normal mail flow,' Stamos said."

Bismillah (993337) writes The Pawsey Supercomputing Centre in Australia has started unboxing and installing its new upgraded 'Magnus' supercomputer, which could become the largest such system in the southern hemisphere, with up to one petaFLOPS performance.

New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.

AlbanX (2847805) writes Australian daily deals website Catch of the Day waited three years to tell its customers their email addresses, delivery addresses, hashed passwords, and some credit card details had been stolen. Its systems were breached in April 2011 and the company told police, banks and credit cards issuers, but didn't tell the Privacy Commissioner or customers until July 18th.

Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."

Bismillah (993337) writes A government inquiry has been launched into whether or not Australian authorities are using Section 313 of the Telecommunications Act inappropriately. Last year, the Australian securities watchdog used Section 313 powers to force ISPs to block a quarter of a million web sites — in order to prevent access to just 1,200 sites the authority deemed harmful. From the inquiry page: "How law enforcement agencies use section 313 to request the disruption of such services is an important public policy question. Section 313 is also used for other purposes, but the Committee will inquire solely into and report on government agency use of section 313 for the purpose of disrupting illegal online services. The Committee invites interested persons and organizations to make submissions addressing the terms of reference by Friday 22 August 2014."

Bismillah (993337) writes A government inquiry has been launched into whether or not Australian authorities are using Section 313 of the Telecommunications Act inappropriately. Last year, the Australian securities watchdog used Section 313 powers to force ISPs to block a quarter of a million web sites — in order to prevent access to just 1,200 sites the authority deemed harmful. From the inquiry page: "How law enforcement agencies use section 313 to request the disruption of such services is an important public policy question. Section 313 is also used for other purposes, but the Committee will inquire solely into and report on government agency use of section 313 for the purpose of disrupting illegal online services. The Committee invites interested persons and organizations to make submissions addressing the terms of reference by Friday 22 August 2014."

Bismillah writes: The Preferred Network Offload feature in Android extends battery life, but it also leaks location data, according to the Electronic Frontier Foundation. What's more, the same flaw is found in Apple OS X and Windows 7. "This location history comes in the form of the names of wireless networks your phone has previously connected to. These frequently identify places you've been, including homes ('Tom’s Wi-Fi'), workplaces ('Company XYZ office net'), churches and political offices ('County Party HQ'), small businesses ('Toulouse Lautrec's house of ill-repute'), and travel destinations ('Tehran Airport wifi'). This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi."

dcblogs writes: The U.S. Postal Service plans to spend up to $100,000 to investigate how it can utilize low cost sensors and related wireless technologies to improve the efficiency of its operations. The postal service already scans letters and parcels up to 11 times during processing, representing 1.7 trillion scans a year. It uses supercomputers to process that data. In theory, the postal service believes that everything it uses — mailboxes, vehicles, machines, or a letter carrier — could be equipped with a sensor to create what it terms the Internet of Postal Things. The Internet has not been kind to the postal service. Electronic delivery has upended the postal services business model. In 2003, it processed 49 billion pieces of single-piece first-class mail, but by 2013, that figured dropped to 22.6 billion pieces. In other high-tech postal service news, Digital Post Australia has shut down. It was an attempt to digitize snail mail, but they didn't manage to convince enough senders that it was worth trying.