Security

With Rising Database Breaches, Two-Factor Authentication Also At Risk (hackaday.com) 82

Two-factor authentication "protects from an attacker listening in right now," writes Slashdot reader szczys, "but in many case a database breach will negate the protections of two-factor." Hackaday reports: To fake an app-based 2FA query, someone has to know your TOTP password. That's all, and that's relatively easy. And in the event that the TOTP-key database gets compromised, the bad hackers will know everyone's TOTP keys.

How did this come to pass? In the old days, there was a physical dongle made by RSA that generated pseudorandom numbers in hardware. The secret key was stored in the dongle's flash memory, and the device was shipped with it installed. This was pretty plausibly "something you had" even though it was based on a secret number embedded in silicon. (More like "something you don't know?") The app authenticators are doing something very similar, even though it's all on your computer and the secret is stored somewhere on your hard drive or in your cell phone. The ease of finding this secret pushes it across the plausibility border into "something I know", at least for me.
The original submission calls two-factor authentication "an enhancement to password security, but good password practices are far and away still the most important of security protocols." (Meaning complex and frequently-changed passwords.)
Google

On the Google Book Scanning Project and the Library We Will Never See (theatlantic.com) 153

For a decade, Google's enormous project to create a massive digital library of books was embroiled in litigation with a group of writers who say it was costing them a lot of money in lost revenue. Even as Google notched a victory when a federal appeals court ruled that the company's project was fair use, the company quietly shut down the project. From an article published in April this year: Despite eventually winning Authors Guild v. Google, and having the courts declare that displaying snippets of copyrighted books was fair use, the company all but shut down its scanning operation. It was strange to me, the idea that somewhere at Google there is a database containing 25-million books and nobody is allowed to read them. It's like that scene at the end of the first Indiana Jones movie where they put the Ark of the Covenant back on a shelf somewhere, lost in the chaos of a vast warehouse. It's there. The books are there. People have been trying to build a library like this for ages -- to do so, they've said, would be to erect one of the great humanitarian artifacts of all time -- and here we've done the work to make it real and we were about to give it to the world and now, instead, it's 50 or 60 petabytes on disk, and the only people who can see it are half a dozen engineers on the project who happen to have access because they're the ones responsible for locking it up. But Google seems to be thinking ways to make use of it, it appears. Last month, it added a new feature to its search function that instantly connects you with eBook data from libraries near you. From a report: Now, every time you search for a book through Google, information about your local library rental options will be easily available. Yeah, that's right. Your local library not only still exists, but it has eBooks, which are things you can totally borrow (for free) online! Before, this perk was hidden somewhere deep within your local library's website -- assuming it had one -- but now these free literary wonders are all yours for the taking.
Google

How Google's Pixel 2 'Now Playing' Song Identification Works (venturebeat.com) 129

An anonymous reader shares a report from VentureBeat, written by Emil Protalinski: The most interesting Google Pixel 2 and Pixel 2 XL feature, to me, is Now Playing. If you've ever used Shazam or SoundHound, you probably understand the basics: The app uses your device's microphone to capture an audio sample and creates an acoustic fingerprint to compare against a central song database. If a match is found, information such as the song title and artist are sent back to the user. Now Playing achieves this with two important differentiators. First, Now Playing detects songs automatically without you explicitly asking -- the feature works when your phone is locked and the information is displayed on the Pixel 2's lock screen (you'll eventually be able to ask Google Assistant what's currently playing, but not yet). Secondly, it's an on-device and local feature: Now Playing functions completely offline (we tested this, and indeed it works with mobile data and Wi-Fi turned off). No audio is ever sent to Google.
Science

Over 30,000 Published Studies Could Be Wrong Due To Contaminated Cells (sciencealert.com) 106

An anonymous reader quotes a report from Science Alert: Researchers warn that large parts of biomedical science could be invalid due to a cascading history of flawed data in a systemic failure going back decades. A new investigation reveals more than 30,000 published scientific studies could be compromised by their use of misidentified cell lines, owing to so-called immortal cells contaminating other research cultures in the lab. The problem is as serious as it is simple: researchers studying lung cancer publish a new paper, only it turns out the tissue they were actually using in the lab were liver cells. Or what they thought were human cells were mice cells, or vice versa, or something else entirely. If you think that sounds bad, you're right, as it means the findings of each piece of affected research may be flawed, and could even be completely unreliable.

Horback and fellow researcher Willem Halffman wanted to know how extensive the phenomenon of misidentified cell lines really was, so they searched for evidence of what they call "contaminated" scientific literature. Using the research database Web of Science, they looked for scientific articles based on any of the known misidentified cell lines as listed by the International Cell Line Authentication Committee's (ICLAC) Register of Misidentified Cell Lines.There are currently 451 cell lines on this list, and they're not what you think they are -- having been contaminated by other kinds of cells at some point in scientific history. Worse still, they've been unwittingly used in published laboratory research going as far back as the 1950s.

Science

Peer Pressure Forced Whales and Dolphins To Evolve Big Brains Like Humans, Says Study (qz.com) 97

An anonymous reader quotes a report from Quartz: The human brain has evolved and expanded over millennia to accommodate our ever-more-complex needs and those of our societies. This process is known as "encephalization" and has given us the big brain we need to communicate, cooperate, reach consensus, empathize, and socialize. The same is true for cetaceans, like whales and dolphins, it seems. These sea creatures also grew big brains in order to better live in societies, according to a study published on Oct. 16 in Nature Ecology & Evolution. According to Michael Muthukrishna, an economic psychologist at the London School of Economics and co-author of the study, the researchers used two related theories, the Social-Brain Hypothesis and the Cultural-Brain Hypothesis, to make predictions about various relationships between brain size, societal organization, and the breadth of behaviors the cetaceans would display. Then they tested these predictions by creating and evaluating a comprehensive database of cetacean brain size, social structures, and cultural behaviors across species using data from prior studies on 90 types of whales and dolphins.

The study found that cetaceans had complex alliances and communications, played and worked together for mutual benefit, and could even work with other species, like humans. Some also have individual signifiers, sounds that set them apart from others, and can mimic the sounds of others. In addition, it found that brain size predicted the breadth of social and cultural behaviors of these marine creatures (though ecological factors, like prey diversity and latitudinal range, also played a role). The researchers concluded there was a tie between cetacean encephalization, social structure, and group size.

Microsoft

Microsoft Responded Quietly After Detecting Secret Database Hack in 2013 (reuters.com) 48

Citing five former employees, Reuters reported on Tuesday that Microsoft's secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago. From the report: The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident. The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins. The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks. "Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," said Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time.
Security

Millions of High-Security Crypto Keys Crippled by Newly Discovered Flaw (arstechnica.com) 55

Slovak and Czech researchers have found a vulnerability that leaves government and corporate encryption cards vulnerable to hackers to impersonate key owners, inject malicious code into digitally signed software, and decrypt sensitive data, reports ArsTechnica. From the report: The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia's government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. On Monday, officials posted this update. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations.
Businesses

Despite Sanctions, Russian Organisations Acquire Microsoft Software (reuters.com) 44

An anonymous reader shares a report: Software produced by Microsoft has been acquired by state organizations and firms in Russia and Crimea despite sanctions barring U.S-based companies from doing business with them, official documents show. The acquisitions, registered on the Russian state procurement database, show the limitations in the way foreign governments and firms enforce the U.S. sanctions, imposed on Russia over its annexation of the Crimea peninsula from Ukraine in 2014. Some of the users gave Microsoft fictitious data about their identity, people involved in the transactions told Reuters, exploiting a gap in the U.S. company's ability to keep its products out of their hands. The products in each case were sold via third parties and Reuters has no evidence that Microsoft sold products directly to entities hit by the sanctions. "Microsoft has a strong commitment to complying with legal requirements and we have been looking into this matter in recent weeks," a Microsoft representative said in an emailed response to questions from Reuters.
Communications

T-Mobile Website Allowed Hackers to Access Your Account Data With Just Your Phone Number (vice.com) 62

Lorenzo Franceschi-Bicchierai, reporting for Motherboard: Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer's T-Mobile account number, and the phone's IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug. The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew -- or guessed -- your phone number to obtain data that could've been used for social engineering attacks, or perhaps even to hijack victim's numbers. "T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, who is the founder of startup Secure7, told Motherboard in an online chat. "That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," he added.
Businesses

The Case Against Biometric IDs (nakedcapitalism.com) 146

"The White House and Equifax Agree: Social Security Numbers Should Go," reads a headline at Bloomberg. Securities lawyer Jerri-Lynn Scofield tears down one proposed alternative: a universal biometric identity system (possibly using fingerprints and an iris scan) with further numeric verification. Presto Vivace shared the article: Using a biometric system when the basic problem of securing and safeguarding data have yet to be solved will only worsen, not address, the hacking problem. What we're being asked to do is to turn over our biometric information, and then trust those to whom we do so to safeguard that data. Given the current status of database security, corporate and governmental accountability, etc.: How do you think that is going to play out...?

[M]aybe we should rethink the whole impulse to centralize such data collection, for starters. And, after such a thought experiment, then further focus on obvious measures to safeguard such information -- such as installing regular software patches that could have prevented the Equifax hack -- should be the priority. And, how about bringing back a concept in rather short supply in C-suites -- that of accountability? Perhaps measures to increase that might be a better idea than gee whiz misdirected techno-wizardry... The Equifax hack has revealed the sad and sorry state of cybersecurity. But inviting the biometric ID fairy to drop by and replace the existing Social Security number is not the solution.

The article calls biometric identification systems "another source of data to be mined by corporations, and surveilled by those who want to do so. And it would ultimately not foil identity theft." It suggests currently biometric ids are a distraction from the push to change the credit bureau business model -- for example, requiring consumers to opt-in to the collection of their personal data.
Security

Disqus Confirms Over 17.5 Million Email Addresses Were Stolen In 2012 Hack of Its Comments Tool (zdnet.com) 81

Disqus, a company that builds and provides a web-based comment plugin for news websites, said Friday that hackers stole more than 17.5 million email addresses in a data breach in July 2012. "About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers," reports ZDNet. From the report: Some of the exposed user information dates back to 2007. Many of the accounts don't have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google. The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach. The company said in a blog post, posted less than a day after Hunt's private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach. Users whose passwords were exposed will have their passwords force-reset. The company warned users who have used their Disqus password on other sites to change the password on those accounts.
Government

IRS Awards $7 Million Fraud Prevention Contract To Equifax (politico.com) 115

An anonymous reader quotes a report from Politico: The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans. A contract award for Equifax's data services was posted to the Federal Business Opportunities database Sept. 30 -- the final day of the fiscal year. The credit agency will "verify taxpayer identity" and "assist in ongoing identity verification and validations" at the IRS, according to the award. The notice describes the contract as a "sole source order," meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract. Lawmakers on both sides of the aisle blasted the IRS decision.
Privacy

Passwords For 540,000 Car Tracking Devices Leaked Online (thehackernews.com) 33

An anonymous reader quotes a report from The Hacker News: Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service. Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server. The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen. The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices. The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.
Businesses

Oracle's Larry Ellison Pokes Amazon Again With New Cloud Pricing Plan (siliconangle.com) 65

Oracle went on the offensive again versus Amazon.com this week with a new cloud pricing plan that gives discounts to Oracle database customers who move their databases to the cloud. From a report: Chairman and Chief Technology Officer Larry Ellison said during an event at its Redwood City, California headquarters that while Oracle has matched Amazon Web Services for base-level computing, storage and networking services known as infrastructure as a service, it's now moving to make higher-level cloud services such as databases and analytics cheaper than AWS's. Actually, Ellison claimed that Oracle's infrastructure runs faster and therefore ends up costing less, but it's clear that the company is focusing more on its traditional strengths one tier up from the infrastructure: so-called platform as a service offerings such as the Oracle Database. Oracle said it will allow customers to move their existing licenses for databases, middleware and analytics to Oracle's platform services, just as they've allowed them to bring licenses to its infrastructure before.
Android

Apple's A11 Bionic Chip In iPhone 8 and iPhone X Smokes Android Handsets In Early Benchmarks (hothardware.com) 332

MojoKid writes: Many of the new releases of Apple's iPhone bring with it a new A-series SoC (System on Chip) and Apple is keeping that tradition with the iPhone 8 and iPhone 8 Plus, and iPhone X. Each of those handsets sports a custom ARM-based A11 Bionic processor with six cores -- four high performance cores and two power efficiency cores. The two power efficiency cores will perform the bulk medial chores to maintain battery life, which Apple says will be 2 hours longer than the iPhone 7. However, for heavier workloads, the chip is capable of not only firing up its four high performance cores, but also all six cores simultaneously. If early leaked benchmarks are any indication, the A11 Bionic is going to be a benchmark-busting beast of a chip. A set of just-posted Geekbench scores reinforces that notion. Just prior to Apple announcing its newest iPhone models, Geekbench's database was updated with a new entry for an "iPhone 10,5" which we assume to be the iPhone X. Based on the scores recorded, in this one benchmark at least, the A11 CPU powering the iPhone X appears to be 50 to 70 percent faster than any Android handset on the market currently, even those powered by the new Qualcomm Snapdragon 835.
Music

Can Blockchain Save The Music Industry? (wired.com) 129

An anonymous reader quotes Wired: Last fall, a group of music industry heavyweights gathered in New York City to do something they'd mostly failed to do up to that point: work together. Representatives from major labels like Universal, Sony, and Warner sat next to technologists from companies like Spotify, YouTube, and Ideo and discussed the collective issues threatening their industry... The participants of that confab would later form a group called the Open Music Initiative... "Pretty early on it was obvious that there's an information gap in the industry," says Erik Beijnoff, a product developer at Spotify and a member of the OMI.

That "information gap" refers to the data around who helped create a song. Publishers might keep track of who wrote the underlying composition of a song, or the session drummer on a recording, but that information doesn't always show up in a digital file's metadata. This disconnect between the person who composed a song, the person who recorded it, and the subsequent plays, has led to problems like writers and artists not getting paid for their work, and publishers suing streaming companies as they struggle to identify who is owed royalties. "It's a simple question of attribution," says Berklee College of Music's vice president of innovation and strategy, Panos A. Panay. "And payments follow attribution."

Over the last year, members of the OMI -- almost 200 organizations in total -- have worked to develop just that. As a first step, they've created an API that companies can voluntarily build into their systems to help identify key data points like the names of musicians and composers, plus how many times and where tracks are played. This information is then stored on a decentralized database using blockchain technology -- which means no one owns the information, but everyone can access it.

Earth

UN Aviation Agency To Call For Global Drone Registry (reuters.com) 47

An anonymous reader quotes a report from Reuters: The United Nations' aviation agency is backing the creation of a single global drone registry, as part of broader efforts to come up with common rules for flying and tracking unmanned aircraft. While the International Civil Aviation Organization cannot impose regulations on countries, ICAO has proposed formation of the registry during a Montreal symposium this month to make data accessible in real time, said Stephen Creamer, director of ICAO's air navigation bureau. The single registry would eschew multiple databases in favor of a one-stop-shop that would allow law enforcement to remotely identify and track unmanned aircraft, along with their operator and owner. It's not yet clear who would operate such a database, although ICAO could possibly fill that role. The proposal, however, could face push back from users, after hobbyists successfully challenged the creation of a U.S. drone registry by the Federal Aviation Administration in court earlier this year.
Security

Mexican Tax Refund Site Left 400GB of Sensitive Customer Info Wide Open (theregister.co.uk) 18

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database. From a report: A CouchDB database featuring half a million customers' passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of sensitive information could be either downloaded or viewed because of a lack of access controls before the system was recently secured.
Security

Over 28 Million Records Stolen In Breach of Latin American Social Network Taringa (thehackernews.com) 16

Taringa, also known as "The Latin American Reddit," has been compromised in a massive data breach that has resulted in the leaked login credentials of almost all of its over 28 million users. The Hackers News reports: The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users. The hashed passwords use an ageing algorithm called MD5 -- which has been considered outdated even before 2012 -- that can easily be cracked, making Taringa users open to hackers. Wanna know how weak is MD5? LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days. The data breach reportedly occurred last month, and the company then alerted its users via a blog post: "It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says. "At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."

Slashdot Top Deals