The Courts

ACLU Sues ICE For License Plate Reader Contracts, Records (sfgate.com) 60

An anonymous reader quotes a report from SFGate: The American Civil Liberties Union on Wednesday sued U.S. Immigration and Customs Enforcement for records about the agency's use of license plate reader technology, after ICE apparently failed to turn over records following multiple requests. In December, ICE purchased access to two databases of ALPR data, the complaint reads. One of those databases is managed by Vigilant Solutions, which has contracts with more than two dozen Bay Area law enforcement agencies. "We believe the other is managed by Thomson Reuters," ACLU laywer Vasudha Talla said. The ACLU and other privacy advocates have expressed concern about how this data will be stored and used for civil immigration enforcement. The ACLU filed two requests under the Freedom of Information Act in March seeking records from ICE, including contracts, memos, associated communications, training materials and audit logs. Since then, ICE has not provided any records, the ACLU said in the complaint, which was filed Tuesday morning in the Northern District Court for the Northern District of California. "The excessive collection and storing of this data in databases -- which is then pooled and shared nationally -- results in a systemic monitoring that chills the exercise of constitutional rights to free speech and association, as well as essential tasks such as driving to work, picking children up from school, and grocery shopping," the complaint said. "We have essentially two concerns: one that is general to ALPR databases, and one that's specific to this situation with ICE," Talla said. "The ACLU has done a lot of work around surveillance technology and ALPR, and we're generally concerned about the aggregation of all this data about license plates paired with a time and location, stretching back for so many months and years."
Security

Personal Records of Nearly 1 Million South Africans Leaked Online (iafrikan.com) 22

Tefo Mohapi, reporting for iAfrikan: Barely a year after South Africa's largest data leak was revealed in 2017, the country has suffered yet another data leak as 934,000 personal records of South Africans have been leaked publicly online. The data includes, among others, national identity numbers (ID numbers), e-mail addresses, full names, as well as plain text passwords to what appears to be a traffic fines related online system. Working together with Troy Hunt, an Australian Security consultant and founder of haveibeenpwned, along with an anonymous source that has been communicating with iAfrikan and Hunt, we've managed to establish that the data was backed up or posted publicly by one of the companies responsible for traffic fines online payments in South Africa. "I have a new leak which might be worthwhile, the database leak contains 1 million records of personal information of South African citizens. Including Identity numbers, cell phone numbers, email addresses, and passwords. I am aware of the website this was leaked from," said our source upon initial contact.
Privacy

'TeenSafe' Phone Monitoring App Leaked Thousands of User Passwords (zdnet.com) 44

An anonymous reader quotes a report from ZDNet: At least one server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of accounts of both parents and children. The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed. But the Los Angeles, Calif.-based company left its servers, hosted on Amazon's cloud, unprotected and accessible by anyone without a password.

"We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The database stores the parent's email address associated with their associated child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

Privacy

Cell Phone Tracking Firm Exposed Millions of Americans' Real-time Locations (zdnet.com) 39

Earlier this week, ZDNet shed some light on a company called LocationSmart that is buying your real-time location data from four of the largest U.S. carriers in the United States. The story blew up because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. ZDNet is now reporting that the company "had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent." An anonymous reader shares an excerpt: "Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD. student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here." The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon. Xiao said the bug may have exposed nearly every cell phone customer in the U.S. and Canada, some 200 million customers.

The researcher said he started looking at LocationSmart's website following ZDNet's report this week, which followed from a story from The New York Times, which revealed how a former police sheriff snooped on phone location data without a warrant. The sheriff has pleaded not guilty to charges of unlawful surveillance. He said one of the APIs used in the "try" page that allows users to try the location feature out was not validating the consent response properly. Xiao said it was "trivially easy" to skip the part where the API sends the text message to the user to obtain their consent. "It's a surprisingly simple bug," he said.

Youtube

YouTube Expands Music Credits: Makes It Easier To Identify the Song Featured in a Video (pitchfork.com) 20

Next time you hear a song featured in a YouTube video and you are not sure what it is called, or who made it, you can find out by clicking (or tapping) the "show more" button. From a report: YouTube has announced that the platform is expanding the credits available on videos featuring music. The new description feature, called "Music in this video," provides credits -- which includes artist, songwriter, label, and publisher -- on both music videos and fan-uploaded content that contains recorded music. This feature will also include a link to available official artist channels and official music videos. The expanded credits are made possible by Content ID, a YouTube system that uses copyright owners' information and a database of files to identify and manage content.
Science

Plastic Bag Found at the Bottom of World's Deepest Ocean Trench (nationalgeographic.com) 166

The Mariana Trench -- the deepest point in the ocean -- extends nearly 36,000 feet down in a remote part of the Pacific Ocean. But if you thought the trench could escape the global onslaught of plastics pollution, you would be wrong. From a report: A recent study revealed that a plastic bag, like the kind given away at grocery stores, is now the deepest known piece of plastic trash, found at a depth of 36,000 feet inside the Mariana Trench. Scientists found it by looking through the Deep-Sea Debris Database, a collection of photos and videos taken from 5,010 dives over the past 30 years that was recently made public.
Security

Hacker Shuts Down Copenhagen's Public City Bikes System (bleepingcomputer.com) 72

An anonymous reader writes: "An unidentified hacker has breached Bycyklen -- Copenhagen's city bikes network -- and deleted the organization's entire database, disabling the public's access to bicycles over the weekend," reports Bleeping Computer. "The hack took place on the night between Friday, May 4, and Saturday, May 5, the organization said on its website. Bycyklen described the hack as "rather primitive," alluding it may have been carried out "by a person with a great deal of knowledge of its IT infrastructure." Almost 2,000 bikes were affected, and the company's employees have been working for days, searching for bikes docked across the city and installing a manual update to restore functionality. The company is holding a "treasure hunt," asking users to hunt down and identify non-functional bikes.
Crime

Police Drop Charges Filed Against 19-Year-Old Archivist For Downloading FOIA Releases (techdirt.com) 154

An anonymous reader quotes a report form Techdirt: Last month, [...] an unnamed 19-year-old was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government. The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

Fortunately, Nova Scotia law enforcement has decided there's nothing to pursue in this case: "In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a 'high-profile case that potentially impacted many Nova Scotians.' 'As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offense by accessing the information,' Perrin said in the email."

Security

Equifax's Data Breach By the Numbers: 146 Million Social Security Numbers, 99 Million Addresses, and More (theregister.co.uk) 69

Several months after the data breach was first reported, Equifax has published the details on the personal records and sensitive information stolen in the cybersecurity incident. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant's ongoing audit of the security breach," reports The Register. From the report: Late last week, the company gave the numbers in letters to the various U.S. congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America's financial watchdog. As well as the -- take a breath -- 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too.

The further details emerged after Mandiant's investigators helped "standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen." The extra data elements, the company said, didn't involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.

Programming

Microsoft Adds Support For JavaScript Functions in Excel (bleepingcomputer.com) 171

An anonymous reader shares a report: At the Build 2018 developer conference that's taking place these days in Seattle, USA, Microsoft announced support for custom JavaScript functions in Excel. What this means is that Excel users will be able to use JavaScript code to create a custom Excel formula that will appear in Excel's default formula database. Users will then be able to insert and call these formulas from within Excel spreadsheets, but have a JavaScript interpreter compute the spreadsheet data instead of Excel's native engine. "Office developers have been wanting to write JavaScript custom functions for many reasons," Microsoft says, "such as: (1) Calculate math operations, like whether a number is prime. (2) Bring information from the web, like a bank account balance. (3) Stream live data, like a stock price."
Privacy

Ticketmaster Hopes To Speed Up Event Access By Scanning Your Face (engadget.com) 129

Ticketmaster's parent company, Live Nation, has announced that they have teamed up with and invested in a face recognition company called Blink Identity. The ticket sales giant may have plans to scan your face instead of a ticket to grant you access to a venue. Engadget reports: In its first quarter financial report (PDF), Live Nation has explained that Blink has "cutting-edge facial recognition technology, enabling you to associate your digital ticket with your image, then just walk into the show." According to Blink's website, its system can register an image of your face as soon as you walk past a sensor. Blink's technology can then match it against a large database in half a second -- in a blink, so to speak. It's also apparently powerful enough that you don't even have to slow down for its system to recognize you: Just walk normally, and if the technology gets a match, it'll automatically open doors or turnstiles to let you in.
Software

You Could Be Flirting On Dating Apps With Paid Impersonators (qz.com) 193

Chloe Rose Stuart-Ulin sheds some light on the world of paid impersonators on dating apps like Tinder. Here's an excerpt from the report: Every morning I wake up to the same routine. I log into the Tinder account of a 45-year-old man from Texas -- a client. I flirt with every woman in his queue for 10 minutes, sending their photos and locations to a central database of potential "Opportunities." For every phone number I get, I make $1.75. I'm what's called a "Closer" for the online-dating service ViDA (Virtual Dating Assistants). Men and women (though mostly men) from all over the world pay this company to outsource the labor and tedium of online dating. The matches I speak to on behalf of the Texan man and other clients have no idea they're chatting with a professional.

It shouldn't come as a surprise that these ghostwriting services exist. Tinder alone produces more than 12 million matches a day, and if you're a heterosexual American, you now have a one in three chance of meeting your future husband or wife online. But as e-romance hits an all-time high, our daily dose of rejection, harassment, and heartbreak creeps upward, too. Once you mix in the vague rules of netiquette and a healthy fear of catfishing scams, it's easy to see why someone might want to outsource their online-dating profile to a pro, if only to keep themselves sane. But where does the digital social assistant end and the con artist begin?

Crime

Genealogy Websites Were Key To Big Break In Golden State Killer Case (nytimes.com) 237

An anonymous reader shares a report from The New York Times: The Golden State Killer raped and murdered victims all across the state of California in an era before Google searches and social media, a time when the police relied on shoe leather, not cellphone records or big data. But it was technology that got him. The suspect, Joseph James DeAngelo, 72, was arrested by the police on Tuesday. Investigators accuse him of committing more than 50 rapes and 12 murders. Investigators used DNA from crime scenes and plugged that genetic profile into a commercial online genealogy database. They found distant relatives of Mr. DeAngelo's and traced their DNA to him.

"We found a person that was the right age and lived in this area -- and that was Mr. DeAngelo," said Steve Grippi, the assistant chief in the Sacramento district attorney's office. Investigators then obtained what Anne Marie Schubert, the Sacramento district attorney, called "abandoned" DNA samples from Mr. DeAngelo. "You leave your DNA in a place that is a public domain," she said. The test result confirmed the match to more than 10 murders in California. Ms. Schubert's office then obtained a second sample and came back with the same positive result, matching the full DNA profile. Representatives at 23andMe and other gene testing services denied on Thursday that they had been involved in identifying the killer.

Bitcoin

Bezop Cryptocurrency Server Exposes Personal Info of 25,000 Investors (threatpost.com) 28

lod123 shares a report from Threatpost: A leaky Mongo database exposed personal information, including scanned passports and driver's licenses, of 25,000 investors and potential investors tied to the Bezop cryptocurrency, according to researchers. Kromtech Security said that it found the unprotected data on March 30, adding that it included a treasure-trove of information ranging from "full names, (street) addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver's licenses and other IDs," according to the researchers. Kromtech researchers, in their overview of the results of its investigation, said that Bezop.io, the organization behind the currency, immediately secured the data after being notified. Bezop is one of over 1,000 cryptocurrencies in a crowded playing field vying for investor attention. According to Kromtech, the list of 25,000 people included both current and prospective investors promised Bezop cryptocurrency in exchange for promoting the cryptocurrency on social media.
Open Source

Apple Open Sources FoundationDB (macrumors.com) 50

Apple's FoundationDB company announced on Thursday that the FoundationDB core has been open sourced with the goal of building an open community with all major development done in the open. The database company was purchased by Apple back in 2015. As described in the announcement, FoundationDB is a distributed datastore that's been designed from the ground up to be deployed on clusters of commodity hardware. Mac Rumors reports: By open sourcing the project to drive development, FoundationDB is aiming to become "the foundation of the next generation of distributed databases: "The vision of FoundationDB is to start with a simple, powerful core and extend it through the addition of "layers". The key-value store, which is open sourced today, is the core, focused on incorporating only features that aren't possible to write in layers. Layers extend that core by adding features to model specific types of data and handle their access patterns. The fundamental architecture of FoundationDB, including its use of layers, promotes the best practices of scalable and manageable systems. By running multiple layers on a single cluster (for example a document store layer and a graph layer), you can match your specific applications to the best data model. Running less infrastructure reduces your organization's operational and technical overhead." The source for FoundationDB is available on Github, and those who wish to join the project are encouraged to visit the FoundationDB community forums, submit bugs, and make contributions to the core software and documentation.
Facebook

'Login With Facebook' Data Hijacked By JavaScript Trackers (techcrunch.com) 91

An anonymous reader quotes a report from TechCrunch: Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data. The abusive scripts were found on 434 of the top 1 million websites including freelancer site Fiverr.com, camera seller B&H Photo And Video, and cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.
Microsoft

Microsoft Ports Edge Anti-Phishing Technology To Google Chrome (bleepingcomputer.com) 75

An anonymous reader writes: Microsoft has released a Chrome extension named "Windows Defender Browser Protection" that ports Windows Defender's -- and inherently Edge's -- anti-phishing technology to Google Chrome. The extension works by showing bright red-colored pages whenever users are tricked into accessing malicious links. The warnings are eerily similar to the ones that Chrome natively shows via the Safe Browsing API, but are powered by Microsoft's database of malicious links —also known as the SmartScreen API.

Chrome users should be genuinely happy that they can now use both APIs for detecting phishing and malware-hosting URLs. The SmartScreen API isn't as known as Google's more famous Safe Browsing API, but works in the same way, and possibly even better. An NSS Labs benchmark revealed that Edge (with its SmartScreen API) caught 99 percent of all phishing URLs thrown at it during a test last year, while Chrome only detected 87 percent of the malicious links users accessed.

Security

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com) 246

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

Classic Games (Games)

Guinness Strips Billy 'King of Kong' Mitchell's World Records (engadget.com) 58

In February, legendary arcade gamer Billy Mitchell was accused of cheating his way into the record books for high scores in Donkey Kong. As a result, he was stripped of his 1.062 million score on the Donkey Kong Forums. Today, Kotaku reports that "Guinness World Records will remove Billy Mitchell's Donkey Kong scores, as well as his records for Pac-Man, from their database following Mitchell's disqualification from the Twin Galaxies leaderboards yesterday." From the report: Mitchell is one of the world's most famous arcade game players, at one time holding world records in Donkey Kong, Donkey Kong Jr, and Pac-Man. Yesterday, all of Mitchell's records were removed from the leaderboards at Twin Galaxies, an organization that tracks video game records and high scores. The decision came after a lengthy arbitration process determined that Mitchell used the Multiple Arcade Machine Emulator (MAME) to achieve some record scores that had been said to be performed on arcade machines, a violation of Twin Galaxies' rules. In light of this, Guinness World Records will also remove his records.

"The Guinness World Records titles relating to Mr. Mitchell's highest scores on Donkey Kong have all been disqualified due to Twin Galaxies being our source of verification for these achievements," a representative of Guinness told Kotaku via email. Mitchell did not return request for comment. Guinness continued, "We also recognize records for First perfect score on Pac-Man and Highest score on Pac-Man. Twin Galaxies was the original source of verification for these record titles and in line with their decision to remove all of Mr. Mitchell's records from their system, we have disqualified Mr. Mitchell as the holder of these two records. Guinness World Records will look to update and find the appropriate holder of these records in the next few days."

Security

Uber's 2016 Breach Affected More Than 20 Million US Users (bloomberg.com) 6

An anonymous reader quotes a report from Bloomberg: A data breach in 2016 exposed the names, phone numbers and email addresses of more than 20 million people who use Uber's service in the U.S., authorities said on Thursday, as they chastised the ride-hailing company for not revealing the lapse earlier. The Federal Trade Commission said Uber failed to disclose the leak last year as the agency investigated and sanctioned the company for a similar data breach that happened in 2014. "After misleading consumers about its privacy and security practices, Uber compounded its misconduct," said Maureen Ohlhausen, the acting FTC chairman. She announced an expansion of last year's settlement with the company and said the new agreement was "designed to ensure that Uber does not engage in similar misconduct in the future."

In the 2016 breach, intruders in a data-storage service run by Amazon.com Inc. obtained unencrypted consumer personal information relating to U.S. riders and drivers, including 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver's license numbers, the FTC said in a complaint. Under the revised settlement, Uber could be subject to civil penalties if it fails to notify the FTC of future incidents, and it must submit audits of its data security, the agency said.

Slashdot Top Deals