Six months ago, Google offered to pay $200,000 to any researcher who could remotely hack into an Android device by knowing only the victim’s phone number and email address. No one stepped up to the challenge. While that might sound like good news and a testament to the mobile operating system’s strong security, that’s likely not the reason why the company’s Project Zero Prize contest attracted so little interest. From the start, people pointed out that $200,000 was too low a prize for a remote exploit chain that wouldn’t rely on user interaction. “If one could do this, the exploit could be sold to other companies or entities for a much higher price,” one user responded to the original contest announcement in September. “Many buyers out there could pay more than this price; 200k not worth for finding needle under haystack,” said another. Google was forced to acknowledge this, noting in a blog post this week that “the prize amount might have been too low considering the type of bugs required to win this contest.” Other reasons that might have led to the lack of interest, according to the company’s security team, might be the high complexity of such exploits and the existence of competing contests where the rules were less strict. In order to gain root or kernel privileges on Android and fully compromise a device, an attacker would have to chain multiple vulnerabilities together. At the very least, they would need a flaw that would allow them to remotely execute code on the device, for example within the context of an application, and then a privilege escalation vulnerability to escape the application sandbox. Judging by Android’s monthly security bulletins, there’s no shortage of privilege escalation vulnerabilities. However, Google wanted for exploits submitted as part of this contest to not rely on any form of user interaction. This means the attacks should have worked without users clicking on malicious links, visiting rogue websites, receiving and opening files, and so on. This rule significantly restricted the entry points that researchers could use to attack a device. The first vulnerability in the chain would have had to be located in the operating system’s built-in messaging functions like SMS or MMS, or in the baseband firmware — the low-level software that controls the phone’s modem and which can be attacked over the cellular network. One vulnerability that would have met these criteria was discovered in 2015 in a core Android media processing library called Stagefright, with researchers from mobile security firm Zimperium finding the vulnerability. The flaw, which triggered a large coordinated Android patching effort at the time, could have been exploited by simply placing a specially crafted media file anywhere on the device’s storage. One way to do that involved sending a multimedia message (MMS) to targeted users and didn’t require any interaction on their part. Merely receiving such a message was enough for successful exploitation. Many similar vulnerabilities have since been found in Stagefright and in other Android media processing components, but Google changed the default behavior of the built-in messaging apps to no longer retrieve MMS messages automatically, closing that avenue for future exploits. “Remote, unassisted, bugs are rare and require a lot of creativity and sophistication,” said Zuk Avraham, founder and chairman of Zimperium, via email. They’re worth much more than $200,000, he said. An exploit acquisition firm called Zerodium is also offering $200,000 for remote Android jailbreaks, but it doesn’t put a restriction on user interaction. Zerodium sells the exploits it acquires to their customers, including to law enforcement and intelligence agencies. So why go to the trouble of finding rare vulnerabilities to build fully unassisted attack chains when you can get the same amount of money — or even more on the black market — for less sophisticated exploits? “Overall, this contest was a learning experience, and we hope to put what we’ve learned to use in Google’s rewards programs and future contests,” Natalie Silvanovich, a member of Google’s Project Zero team, said in the blog post. To that end, the team is expecting comments and suggestions from security researchers, she said. It’s worth mentioning that despite this apparent failure, Google is a bug bounty pioneer and has run some of the most successful security reward programs over the years covering both its software and online services. There’s little chance that vendors will ever be able to offer the same amount of money for exploits as criminal organizations, intelligence agencies, or exploit brokers. Ultimately, bug bounty programs and hacking contests are aimed at researchers who have an inclination toward responsible disclosure to begin with. The post Google's Android hacking contest fails to attract exploits appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/googles-android-hacking-contest-fails-to-attract-exploits/
0 Comments
Once you understand how easy and common it is for thieves to attach “skimming” devices to ATMs and other machines that accept debit and credit cards, it’s difficult not to closely inspect and even tug on the machines before using them. Several readers who are in the habit of doing just that recently shared images of skimmers they discovered after gently pulling on various parts of a cash machine they were about to use. Viewed from less than two feet away, this ATM looks reasonably safe to use, right? ![]() Although it may be difficult to tell from even this close, this ATM’s card acceptance slot and cash dispenser are both compromised by skimming devices. But something fishy comes into view when we change our perspective slightly. Can you spot what doesn’t belong here? ![]() Can you spot what doesn’t belong here? Congratulations if you noticed the tiny pinhole in the upper right corner of the phony black bezel that was affixed over top of the cash dispenser slot. That fake bezel overlay contained a tiny pinhole camera angled toward the PIN pad to record time-stamped videos of people entering their PINs: ![]() A closeup of the tiny pinhole that allows a mini spy camera embedded in the fake cash dispenser bezel to record customers entering their PINs. How about the card acceptance slot? Looks legit (if a tad shinier than the rest of the ATM), right? What happens if we apply a tiny bit of pressure to the anti-skimming green bezel where customers are expected to insert their ATM cards? Look at that! The cheap plastic bezel that skimmer thieves placed on top of the real card acceptance slot starts to pull away. Also, you can see some homemade electronics that are not very well hidden at the mouth of the bezel. ![]() Notice the left side of this card skimmer overlay starts to pull away from the rest of the facade when squeezed. Also note the presence of a circuit board close to the mouth of the fake bezel. ATM card skimmers contain tiny bits of electronics that record payment card data from the magnetic stripe on the backs of cards inserted into a hacked ATM. Most commonly (as in this case), a card skimmer is paired with a pinhole spy camera hidden above or beside the PIN pad to record time-stamped video of cardholders entering their PINs. Taken together, the stolen data allows thieves to fabricate new cards and use PINs to withdraw cash from victim accounts. Card skimmers designed to look like the green anti-skimming devices found on many ATMs are some of the most common cash machine skimming devices in use today, probably because they are relatively cheap to manufacture en masse and there are many fraudsters peddling these in the cybercrime underground. Typically, the fake anti-skimmer bezels like the one pictured above are made of hard plastic. However, the reader who shared these images said this bezel card skimming device was made of a semi-flexible, vinyl-like plastic material. “I immediately went in and notified the manager who shut down the machine,” the reader said in an email to KrebsOnSecurity. “All the tellers were busy so he asked me to stand by the ATM and stop people from trying to use it while he called his security team. In the three minutes I was standing there a young woman came up and started to dip her card in the slot even thought the screen was black. I stopped her and told her and pointed out what was going. She was thankful.” Normally, these bezel skimmers look more like the hard plastic one that came off of this ATM at a 7-Eleven convenience store in Texas in February, after a customer yanked on the ATM’s card acceptance slot: ![]() A skimmer overlay that came off an ATM at a 7-Eleven convenience store in Texas after a curious customer tugged on the card slot. Many people believe that skimmers are mainly a problem in the United States, where most ATMs still do not require more secure chip-based cards that are far more expensive and difficult for thieves to clone. However, it’s precisely because most U.S. ATMs lack this security requirement that skimming remains so prevalent in Europe. Mainly for reasons of backward compatibility to accommodate American tourists, many European ATMs allow non-chip-based cards to be inserted into the cash machine. What’s more, many chip-based cards issued by American and European banks alike still have cardholder data encoded on a magnetic stripe in addition to the chip. When thieves skim ATMs in Europe, they generally sell the stolen card and PIN data to fraudsters on the other side of the pond. Those fraudsters in turn will encode the card data onto counterfeit cards and withdraw cash at ATMs here in the United States. Interestingly, even after most U.S. banks put in place chip-capable ATMs, the magnetic stripe will still be needed because it’s an integral part of the way ATMs work: Most ATMs in use today require a magnetic stripe for the card to be accepted into the machine. The main reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time. Below is part of a skimming device that a reader recently pulled off of a compromised ATM in Dusseldorf, Germany. This component actually cracked off of the hard plastic fake anti-skimming bezel that was placed by a fraudster over top of the card acceptance device of an NCR cash machine there. Here’s the plastic overlay that the piece pictured in the reader’s hand above broke away from: It’s fine to tug on parts of an ATM before using it (heck, I’ve been known to do this even for machines I have no intention of using), but just know that doing so doesn’t guarantee that you will detect a cleverly hidden skimmer. As I’ve noted in countless skimmer stories here, the simplest way to protect yourself from ATM skimming is to cover your hand when entering your PIN. That’s because most skimmers rely on hidden cameras to steal the victim’s PIN. As easy as this is, you’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers). Also, if you visit an ATM that looks strange, tampered with, or out of place, try to find another cash machine. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Finally, don’t neglect your own physical security while at the cash machine: As common as these skimmers are, you’re probably more likely to get mugged withdrawing cash from an ATM than you are to find a skimmer attached to it. Did you enjoy this post? Are you fascinated by skimming devices? Check out my series, All About Skimmers. Tags: 7-Eleven skimmer, atm skimmer, bezel skimmer
You can skip to the end and leave a comment. Pinging is currently not allowed. The post Why I Always Tug on the ATM appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/why-i-always-tug-on-the-atm/ Virtual private networks (VPNs) encrypt internet connections between two points, to secure them from casual snoopers and hackers. These VPN services are particularly useful when accessing the internet from an untrusted location, such as a hotel, café or coworking space. A plethora of modern VPN services, with dedicated connectivity apps, have put an end to the maddening manual configuration VPNs once required. No two VPN offerings are alike, however, and it can be a challenge to find the right VPN. Here’s a look at some of the top VPNs for privacy and security. VyprVPNThe VyprVPN by Golden Frog is a polished and intuitive option. The developer is based in Switzerland, which has strict privacy laws, and VyprVPN clusters servers by country so you don’t have to scroll through long lists of server options that may not even be available in your area. The app can also automatically connect to servers in the regions with the lowest latency, and it can switch server clusters in the case of an outage. VyprVPN offers a broad range of officially supported platforms, including Windows, macOS, Linux, Android and iOS, as well as other devices such as Tomato-based routers and smart TVs. Extensive documentation on how to configure popular platforms such as DD-WRT, OpenWRT and Synology’s DiskStation Manager platform is also available. The company says it uses proprietary software code on the backend and operates its VPN service entirely from its own hardware, including DNS, routers and servers for end-to-end privacy. Golden Frog’s global network spans more than 70 locations and it works with a pool of more than 200,000 IP addresses. VyprVPN offers unlimited data for subscribers, with pricing tiers geared for different numbers of simultaneously connected devices (starting at $9.99 per month). You can also get 500MB of VyprVPN use for free by signing up via one of the company’s official apps. ExpressVPNWith more than a thousand servers across 87 countries, ExpressVPN is one of the largest commercial VPN providers. The service promises to never log browsing history, traffic data or DNS queries, and it says it is a financial supporter of the Electronic Frontier Foundation, a privacy-protection group. (The company does log a limited amount of data to improve performance, such as dates of logons, but not timestamps, server locations or the amount of data customers transfer per day.) ExpressVPN supports a large range of platforms, including Windows, macOS, Linux, Android and iOS. People who want to use ExpressVPN with their home or office routers will appreciate the company’s instructions on how to manually configure supported routers to access its service. Custom ExpressVPN firmware is also available, with instructions on how to flash supported routers for free. However, it currently supports only the Linksys WRT1200AC and Linksys WRT3200AC routers. ExpressVPN supports unlimited data for up to three simultaneous devices, and its price plan starts at $12.95 per month, with a discount for people who prepay for a year ($8.32 a month). If you want to use more than three devices at a time you need to buy a second subscription, but the company encourages customers to use ExpressVPN on a router to circumvent this limitation. NordVPNNordVPN takes your privacy very seriously. In addition to a promise not to log any of your activity, the provider uses a unique “double” VPN technology that essentially uses two servers to further obfuscate the inbound and outbound data streams from its servers. All incoming data is also encrypted with AES-256-CBC, and the tech is applied twice for added security. The company offers apps for Windows, macOS, Android and iOS, though there is no official app for Linux. Tech-savvy users can, however, configure almost any platform to work with NordVPN, and a lengthy list of tutorials offers in-depth configuration information for Chrome OS, a MikroTik router and more. The standard NordVPN plan gives unmetered access to six simultaneous devices. Its pricing plans are also affordable. A current promotion offers the services for two years for $79, or only $3.29 per month. And if you prefer anonymity, you can pay for your NordVPN accounts using Bitcoin. CyberGhost VPNRomania-based CyberGhost publishes an annual transparency report to show the number of requests or demands for log files it receives every month. The service also comes with “anti-fingerprinting” features, which work as a proxy to cloak the browsers and PCs that use the service to access the Internet. CyberGhost offers one of the more full-featured VPN apps, and it includes the capability to automatically launch when it connects to a new Wi-Fi network. The feature eliminates the need to remember to connect for protection, and it can also be configured to connect via VPN when you launch internet apps such as BitTorrent. Separately, an “unblock streaming” feature lets you unblock geo-locked services such as Netflix and BBC with a single click, and a data-compression option helps you reduce data drain when using a mobile device. An ad-supported option offers free access to CyberGhost without registration, though its speeds are slower and BitTorrent is blocked. Paid subscriptions remove ads and quintuple the network speed, but only the most expensive Premium Plus ($10.99 per month) subscription offers simultaneous use of as many as five devices. PureVPNPureVPN offers a variety of features not available from other VPN providers, including the capability to use a dedicated IP address, for a higher level of privacy and security. The IP-address feature is available as an add-on, and it’s particularly useful for further securing your online activities given the service’s capability to configure online firewalls, including the security group rules for Amazon Web Services, to accept connections only from designated IP addresses. PureVPN offers optimized sports-streaming servers with up to 20Mbps streaming speed, and it has built-in DDoS protection. The service runs on a hefty worldwide network of more than 500 servers in 141 countries. And PureVPN has its headquarters in Hong Kong. Payment options include credit cards, Alibaba’s Alipay, and even gift cards from Best Buy and Walmart. Pricing starts at $10.95 per month. PureVPN also offers Business VPN services, with round-the-clock support and a dedicated management portal. Privacy and reliability aside, performance is the most crucial component of any VPN service. Unfortunately, it’s very difficult to determine performance without running tests from specific locations. A VPN service that works well at a specific time of day and under one workload may be unusable for someone else in another part of the world. In other words, try a VPN service out for a few weeks before you invest in it long term. This story, “Top 5 VPN services for personal privacy and security” was originally published by The post Top 5 VPN services for personal privacy and security appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/top-5-vpn-services-for-personal-privacy-and-security/ He built a piece of software. That tool was pirated and abused by hackers. Now the feds want him to pay for the computer crooks’ crimes. Taylor Huddleston woke early on December 6th, hours before the Arkansas winter morning would stir to life with the sound of roosters and dogs. Since selling off the last piece of his software business two months earlier, Huddleston had nothing in particular to do, and he’d been keeping odd hours. While his girlfriend slept in the next room, he browsed Reddit and YouTube, then sat down with a microwaved Jimmy Dean Breakfast Bowl to start the day right. Something crunched in his mouth, and he spat out a wad of breakfast bowl into a napkin, just as the pounding started at his front door. Huddleston’s first thought was that somebody had crashed their car and needed to use his phone. But when he opened the door, he was met by about two dozen serious-looking men and women, some in bulletproof vests, holding handguns at the ready, one shouldering an assault rifle, another carrying a battering ram. He was accustomed to seeing uniformed sheriff’s deputies in his neighborhood—drugs, he assumed—but most of these cops wore suits. More suits than he’d ever seen in one place. The visitors were from the FBI, and after a 90-minute search of his house, they left with his computers, only to return two months later with handcuffs. Now free on bond, Huddleston, 26, is scheduled to appear in a federal courtroom in Alexandria, Virginia on Friday for arraignment on federal charges of conspiracy and aiding and abetting computer intrusions. Huddleston, though, isn’t a hacker. He’s the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers. NanoCore has been linked to intrusions in at least 10 countries, including an attack on Middle Eastern energy firms in 2015, and a massive phishing campaign last August in which the perpetrators posed as major oil and gas company. As Huddleston sees it, he’s a victim himself—hackers have been pirating his program for years and using it to commit crimes. But to the Justice Department, Huddleston is an accomplice to a spree of felonies. Depending on whose view prevails, Huddleston could face prison time and lose his home, in a case that raises a novel question: when is a programmer criminally responsible for the actions of his users? “Everybody seems to acknowledge that this software product had a legitimate purpose,” says Travis Morrissey, a lawyer in Hot Springs who represented Huddleston at his bail hearing. “It’s like saying that if someone buys a handgun and uses it to rob a liquor store, that the handgun manufacturer is complicit.” Some experts say the answer to that question could have far reaching implications for developers, particularly those working on new technologies that criminals might adopt in unforeseeable ways. The chill would be felt most profoundly by independent coders without ready access to legal support, but eventually even large corporations like Facebook or Google could face new uncertainty. Can a social networking site face charges when members stalk or threaten an ex? If ISIS starts using an encrypted messaging app, should the developer start looking for a good bail bondsman? “Even if prosecutors don’t plan to use their discretion against big companies, it can have a chilling effect,” says Cornell law professor James Grimmelmann. “Because you never know for sure.” Huddleston began coding NanoCore in late 2012 in a bid to lift himself out of a hardscrabble life. He was a high-school dropout and struggling programmer, working and living in a run down trailer slowly rusting on his mother’s property. Until then, his most ambitious project as a newbie coder had been a low-cost license management system called Net Seal that allowed developers to control access to their products, letting them shut down, for example, a copy that was bought with a stolen PayPal account. Making Net Seal taught Huddleston to code well, and when he discovered that people were making money selling Windows remote management tools, he thought he’d give it a try. His first version was weak, but after months of work NanoCore developed into a full featured product, with a plug-in capability that made it endlessly flexible, and a user interface that one computer security firm praised as “simple yet robust.” Install a NanoCore client on a Windows box, and you can remotely log keystrokes, download stored passwords, turn on the web cam, access files, and watch the user’s screen in real time. NanoCore’s powers mirror some of the functionality in popular commercial offerings like GoToMyPC, and Huddleston says he had high hopes that his $25 tool might be adopted by budget-conscious school IT administrators, tech support firms, server farms, and parents worried about what their kids are doing online. Security experts who have examined NanoCore say there’s nothing in the code to disprove Huddleston’s claim that he intended it for lawful use, though they’re inherently skeptical. “It is plausible the tool was created for legitimate reasons,” says Anthony Kasza, a senior threat researcher at Palo Alto Networks. “However, this is a common claim amongst RAT authors. … Features of RATs are not inherently malicious or benign. It all comes down to intent.” Prosecutors say they have no doubt about Huddleston’s intent. “Huddleston designed the NanoCore RAT for the purpose of enabling its users to commit unauthorized and illegal intrusions against victim computers,” wrote Assistant U.S. Attorney Kellen Dwyer in Huddleston’s 14-page indictment, which was unsealed last month. Because NanoCore has both legal and illegal uses, establishing that Huddleston wrote it for criminals is crucial for prosecutors. “It’s a dual-use technology case,” says Grimmelman. “And you typically don’t get criminal liability in dual-use technology cases unless there’s a pretty clear intent to promote the criminal use instead of the legitimate ones.” The court filings don’t detail why the government is so certain that Huddleston wanted to help hackers, but the indictment mentions eight times the name of the website where Huddleston announced and supported NanoCore: HackForums.net. Thank You! You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason HackForums is a popular site, boasting over three million registered users, and housing well-trafficked forums on coding, computer gaming, even financial investment strategies. With long threads about PokeMon and how to craft a cool YouTube page, HackForums is several shades too light for the Dark Web. But, true to its name, the first subject category listed on its homepage is a forum called “Hack,” with individual bulletin boards like “Beginner Hacking” and “Website and Forum Hacking.” This isn’t “hacking” in the innocent “innovative coding” sense of the word. The participants in these particular sub forums are largely discussing computer intrusion, some academically, others practically. You won’t find Russian super-hackers on HackForums, but computer crime newbies and amateurs building their very first botnet appear to be commonplace. One recent thread posed the question, “How would you spread malware through iframe tags?” and drew knowing advice: serve malicious Java on a fake Minecraft landing page; lure victims with a bogus ad for a recent movie. Huddleston joined the site in 2009 under the nickname “Aeonhack.” Online communities were important to him. In childhood, he and his two brothers relocated frequently as their single mother pursued job opportunities through a tumble of small towns and cities in New Mexico and Arkansas. The frequent moves coupled with his inherent shyness left Huddleston virtually friendless in school, and he finally dropped out in the 12th Grade. Throughout it all, the internet was his lifeline. When he started learning to program, he says, he gravitated to the large and helpful community in the “coding” section of HackForums. So when he was ready with the alpha version of NanoCore in January 2013, it only made sense that he’d announce it in a place where he was known and liked, and that had nurtured him as a beginner. It would soon become clear that it was a terrible place to launch a legitimate remote administration tool. There aren’t a lot of corporate procurement officers on HackForums. Instead, many of Huddleston’s new customers had purely illicit uses for a slick remote access tool. In short order, Huddleston found himself routinely admonishing people not to use his software for crime. “NanoCore does not permit illegal use,” he wrote in one post. In another, “NanoCore is NOT malware. It is intended to be used legitimately and I don’t want to see words like ‘slave’ and ‘infect.’” Huddleston backed his words with action. Whenever he saw evidence that a particular buyer was using the product to hack, he’d log in to Net Seal and disable that user’s copy, cutting the hacker off from his infected slaves. “I had a very strict zero tolerance policy,” he says. He was fighting an uphill battle. Tutorials on how to covertly infect a victim’s machine appeared on YouTube by the thousands; Huddleston responded by quietly changed NanoCore’s control panel to display the user’s license ID, so he could revoke that copy when he saw it in a video. His righteous attitude started to irk some of NanoCore’s fans. “What the hell do you expect? You’re selling a Remote Administration Tool on a hacking forum,” one wrote in 2015. “That’s like selling guns in a warzone but making a policy, ‘You’re not allowed to use these guns for dangerous purposes only target shooting.”’ Still more gripes came when Huddleston removed the tool’s ability to steal passwords and log keystrokes. “You can’t do any blackhat activities with it,” one user complained. “No one who buys a RAT wants one with the main features taken out.” The users who got cut off were even more angry, and sometimes inclined to retaliate. “I’d get these really threatening emails and people harassing me just viciously,” Huddleston says. “They would go and send me dozens of fraudulent payments in PayPal and charge them back.” PayPal interprets chargebacks as a sign of a fraudulent vendor who might have to be cut off, making that ploy an existential threat to Huddleston’s budding business. “There’s no defense against it. You can’t block someone from sending you money.” When Huddleston’s crackdowns became too troublesome, the hackers cracked his Net Seal code and distributed pirated versions of the product on other sites. Computer security companies spotted a new trend in attacks. Every time a new cracked version of NanoCore appeared, a huge spike in the code’s use in computer intrusion attempts followed. In early March 2015, Symantec detected a mysterious phishing campaign flinging NanoCore at energy companies in Asia and the Middle East. Symantec researcher Mark Balanza charted the pattern and penned a 900-word paean to Aeonhack’s “persistence in the face of endless setbacks.” “It seems that every time the author tries to develop and improve NanoCore, one of the customers invariably ends up leaking a copy of it for free,” Balanza wrote. “This surely has to be a major disincentive for the original developer, but they seem to possess endless optimism and persist to create new versions with enhanced capabilities, maybe in the hope that eventually enough customers will pay.” Early the next year, Palo Alto Networks caught NanoCore starring in a phishing campaign tied to tax season. By then, Huddleston’s optimism had already run dry. “I was just in way over my head,” he says. “I loved creating it. I loved learning how to create it,” Huddleston recalls. “You get that rush from solving all these complex issues, and this is by far, hands down, the most difficult and the biggest project that I ever created. I learned so much from it that I could never have learned otherwise.” But he was weary of all the drama, coupled with the pressure of running a small business on his own, Huddleston began divesting himself from NanoCore in early 2015. First he handed off the business end to another HackForum member, while continuing to develop the code as an “advisor” in exchange for 60 percent of every sale. It wasn’t until year’s end that he finally divorced himself entirely from the project , accepting a $5,000 buy-out from the new owner. Last October, he sold off Net Seal for $3,000. In the end, Huddleston got what he wanted from both projects. He scrimped and saved enough from his NanoCore and Net Seal income that he and his girlfriend were able to move out of the trailer and buy a $60,000 house in a low-income corner of Hot Springs, Arkansas. Now even Huddleston’s modest home is in jeopardy. As part of their case, prosecutors are seeking forfeiture of any property derived from the proceeds of NanoCore, as well as from Huddleston’s anti piracy system, which is also featured in the indictment. “Net Seal licensing software is licensing software for cybercriminals,” the indictment declares. For this surprising charge—remember, Huddleston use the licenses to fight crooks and pirates—the government leans on the conviction of a Virginia college student named Zachary Shames, who pleaded guilty in January to selling hackers a keystroke logging program called Limitless. Unlike Huddleston, Shames embraced malicious use of his code. And he used Net Seal to protect and distribute it. Huddleston admits an acquaintanceship with Shames, who was known on HackForums as “Mephobia,” but bristles at the accusation that Net Seal was built for crime. “Net Seal is literally the exact opposite of aiding and abetting” criminals, he says. “It logs their IP addresses, it block their access to the software, it stops them from sharing it with other cyber criminals. I mean, every aspect of it fundamentally prevents cybercrime. For them to say that [crime] is its intention is just ridiculous.” Grimmelman, a specialist in technology law, says the case may fit a trend he’s noticed in online law enforcement: prosecute the defendants you can easily find as proxies for those you can’t. “The government’s frustration with criminal users who are anonymous splashes back in a variety of ways on targets who are easier to identify,” says Grimmelman. “It’s kind of unusual to target a software developer, but I definitely feel that’s the way the winds are blowing.” Huddleston suspects the entire prosecution is the FBI’s way of saving face after raiding him. He thinks the feds expected to uncover evidence on his computer, like chat logs or private message, showing that he was secretly colluding with hackers even as he publicly battled them. When they didn’t, they decided to charge him anyway. Another motive for the indictment might be found in the 2012 prosecution of Michael “xVisceral” Hogue, who once helped create and sell a remote access program called Blackshades. Sold in the underground for $40, Blackshades was blatant malware, implicated in attacks on one million computers around the world. It was particularly favored in online ransom schemes, where an attacker freezes a victim’s machine and demands a payoff to set it free. The government made a cooperation deal with Hogue, and with his help U.S. and European law enforcement rounded up 100 Blackshades users in a two-year-long investigation. It was a masterful play by the bureau that multiplied one bust into scores. It also worked out well for Hogue, who was sentenced to probation in 2014. The feds may have hoped to do the same with Huddleston and NanoCore. If so, they might have done better leaving the assault rifle at the office. By his account, Huddleston was himself a victim of his hacker users, and he might have welcomed a chance to help the FBI make some arrests. Instead, his most vivid memory of the December raid involves sitting down with the lead agent, who’d come in from Washington D.C. to execute the search warrant personally. Huddleston was still in his pajamas, and obsessing over the embarrassing blob of meat sitting on the table, as the agent explained that NanoCore’s abuse had international implications. “This is a global thing. We’re working with other countries,” Huddleston remembers the agent saying. “You’re a little fish in a big pond… Are you going to cooperate?” When Huddleston replied that he wouldn’t talk to the FBI without a lawyer, the agent became visibly irritated, he says. In February the bureau returned with an arrest warrant, and Huddleston spent a week in jail before a judge released him on a $5,000 signature bond. Now he’s anxious about the future. Before the raid, he was pondering his next project. “I wanted to get into game development.” When The Daily Beast spoke to Huddleston last week, he was planning his 16-hour road trip to Arlington, Virginia for arraignment. He’ll have to make the trip without Google Maps—the judge ordered him to stay completely off the Internet, whether by computer or smartphone. Part of him seems not to believe the whole thing is really happening. There’s a corporate-friendly double standard at play in the charges, he argues. Hackers have used commercial remote administration tools for years. Big name brands like TeamView and VNC have figured in malware campaigns even more insidious than those waged by NanoCore hackers. But the FBI doesn’t show up at their corporate headquarters with guns drawn. “NanoCore is abused in the same way that those are,” says Huddleston, his good humor finally breaking into exasperation. “The difference is I proactivity go after these people and build security into the software to catch these people.” His corporate competitors had “money and thousands of employees.” Huddleston had a trailer and microwavable food. “I’m just one guy.” The post FBI Arrests Hacker Who Hacked No One appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/fbi-arrests-hacker-who-hacked-no-one/ Mike Mimoso and Chris Brook preview this year’s Security Analyst Summit and discuss the news of the week, including a Microsoft IIS zero day, a new Mirai variant, and the broadband privacy ruling. Download: Threatpost_News_Wrap_March_31_2017.mp3 Music by Chris Gonsalves The post Threatpost News Wrap, March 31, 2017 appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/threatpost-news-wrap-march-31-2017/ If you haven’t already, then it is time to embrace a virtual private network since our lawmakers voted to remove regulations which would stop ISPs from selling your online life, manipulating your search results and controlling what you see online. Even if you don’t care about highly targeted advertising being thrown your way, it’s the principle of the profiling. You wouldn’t run a computer without some type of protection such as anti-malware and a firewall; sadly, the day has come when you shouldn’t connect online without using a VPN. While connected to a VPN, your incoming and outgoing data is encrypted – even though not all VPNs use the same strength of encryption. VPN-encrypted data means your ISP can’t see what you are searching for or where are visiting. If your ISP intends to sell your online profile – everything you do online – then all it can see is that you connect to a VPN. Yet a VPN doesn’t guarantee you are inside a privacy or anonymity bubble; it doesn’t mean an end to all tracking; while using a VPN, if you login to sites such as Facebook, Netflix or Amazon, then those places know who you are and track you. Once you decide to jump on the VPN bandwagon, then you need to decide which VPN service to use. Before you do that, you need to decide what is important to you. Privacy? Security? Anonymity? Not all VPNs are the same. Thinking about a free VPN? Keep in mind that with most free services YOU are the product. Maybe your browsing habits won’t be sold, but the company can’t run the VPN for free and has to find some way to make money. There are things to be concerned about other than your profile being sold by your free VPN. You may recall the scandal when people found out that the free Hola VPN browser extension was being used to turn users’ computers into a botnet. Paying for a VPN naturally means it wouldn’t be a free service, so some people might think that automatically implies YOU won’t be the product. If you believe that for a certainty, then consider this…YOU pay for your internet connection, but that doesn’t mean your browsing habits won’t be sold. It also doesn’t guarantee that a VPN doesn’t use third-party tools that track and log what you do. Do you want a VPN that keeps no logs? As in if Johnny Law come knocking then a VPN has nothing to hand over if it keeps no logs. This is an important feature to look for whether you care about privacy, anonymity or security. Another important feature is a kill-switch even though different VPNs call it different things. A kill-switch is what it sounds like; if your VPN connection drops, the kill-switch will block or “kill” your internet connection. Without a kill-switch, your computer would automatically connect to the internet as if you had no VPN. If the VPN supports torrenting, P2P, and the connection drops without a kill-switch, then your computer would connect via your real IP. You also don’t want a VPN that leaks your data. Assuming the VPN provider set up and configured it correctly, then what you do online should be shielded from your ISP. You can find out if you have a leaky VPN via IPLeak. If you pick a VPN that offers a free trial, then make sure you test its leak protection instead of trusting what the VPN says is true. When you are connected to your VPN, you are using the VPN-assigned IP. When running a leak test, you don’t want to see your ISP’s IP and your actual geolocation on the map; if you do, see if the VPN offers a refund because it is leaking WebRTC requests. You also do not want to see your ISP’s DNS address as that implies that your ISP can still see what you are doing online, what you are searching for and where you visit. In other words, kick that VPN to the curb and seek a refund. Not all VPNs offer refunds. Do you want a VPN which has hundreds of servers located in many different countries, or do you only care about connecting to a server in the US? For some people, the locations of the VPN servers are important; some countries have better privacy laws than others. Many VPNs have hundreds of servers available in numerous countries. If you connect to server in a different country than the language you speak, keep in mind that your searches will reflect that. For example, running searches using English while connected to a server in Germany will still primarily give you search results in German. Some people are concerned about speed. Is there a bandwidth limit? Some VPNs are better than others, but keep in mind that you’ll take a speed hit whether you use the free Tor browser or paid for a VPN. How many connections can you have simultaneously? Does the VPN support mobile devices? If you are going to pay for security and privacy, then wouldn’t you like to have the VPN running on all your devices? Do you have a preference for how you pay for the service? Some people only want a VPN which accepts cryptocurrency such as bitcoin to stay as anonymous as possible. Don’t know where to start? Why reinvent the wheel? Torrent Freak has been checking up on VPNs for years; here is the 2017 version honing in on which VPNs keep you anonymous. That One Privacy Site has terrific comparison chart covering hundreds of VPNs. How much privacy, security or anonymity a VPN can give you really depends upon which VPN you select. Before jumping into an annual fee, which is the least expensive way to go about it, you might consider trying out one month on several VPNs. While most folks aren’t too thrilled about taking on another payment, if you care about protecting your online privacy and stopping your ISP from snooping on you and then selling that data, then it’s time to start using a VPN. The post What to look for in a VPN to protect your privacy appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/what-to-look-for-in-a-vpn-to-protect-your-privacy/ U.S. internet service providers are about to face temptation. Now that the broadband privacy rule repeal is almost certain, will they sell their customers’ data to marketers, or will they keep it private? The U.S. broadband industry is telling consumers not to worry. Verizon, for instance, said that it remains committed to protecting users’ privacy. What that exactly means is unclear, and some in the industry are skeptical. Major broadband providers will be enticed to monetize their customers’ data in ad-heavy ways, said Dane Jasper, CEO of Sonic, a small ISP in California. He should know. Jasper routinely receives pitches from marketing firms that want to use his ISP to serve his customers targeted ads. The catch: the marketing firms want to monitor every user, to learn their internet habits, and what they’ll likely buy. “That’s the temptation facing carriers and advertisers,” he said. “The carrier is the one point where everybody’s internet behavior can be observed.” Although Jasper’s ISP is focused on protecting customers’ privacy, one man’s nightmare may be another man’s dream. Other broadband providers have been known to claim their advertising efforts, produce better, relevant ads for consumers, despite the data collection. Nevertheless, critics say the practices behind these ads can be creepy. Often, the data collection can occur in secret and involve inserting cookies into customers’ mobile traffic or using bloatware on Android phones, according to Jeremy Gillula, a technologist at the privacy advocate the Electronic Frontier Foundation. He’s come up with a list, chronicling how broadband providers have been found monitoring customers in the past, but now fears history will repeat. “Everything on this list is likely to make a resurgence,” he said. Under federal law, broadband providers still have to protect a customer’s “individual identifiable” information. But when it comes to handling aggregate internet browsing history, ISPs might find interested buyers from advertising firms, or law enforcement, he said. “I don’t see them saying no to that money,” Gillula said. For broadband providers, the privacy rule repeal gives them more confidence to ramp up user-tailored marketing efforts that send ads to phone, TV and PC, said Fatemeh Khatibloo, an analyst with Forrester. However, “it might be a crummy experience, when you take that to the next level,” she said. Imagine your past internet searches on sensitive topics, such as diabetes or domestic violence, suddenly reflected over multiple devices through online ads. Khatibloo said consumers will probably find that disturbing. The U.S. broadband industry is quick to point out that online advertising and data collection is nothing new. Google and Facebook, for instance, have made billions selling targeted ads. “ISPs believe that everyone should follow the same privacy rules,” said USTelecom, a trade association and lobbying group that represents broadband providers. “They are not selling customers’ browsing history to the public,” it added. The post In mining user data, US ISPs must weigh cash vs. privacy appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/in-mining-user-data-us-isps-must-weigh-cash-vs-privacy/ Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move.
As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google. Nevertheless, this hasn’t stopped news outlets from breathlessly urging concerned citizens to reclaim their privacy by turning to VPN providers. And VPN providers have certainly capitalized on the news. One quite large (and savvy) VPN provider even took out a full-page ad in the New York Times listing the names of the Republican senators who voted to repeal the still-dormant regulations. I’m happy if this issue raises the general level of public awareness about privacy and the need for Internet users everywhere to take a more active role in preserving it. And VPNs can be a useful tool for protecting one’s privacy online. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process. In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. Some VPN providers will supply customers with their own custom brand of VPN software, while others may simply assign customers a set user credentials and allow users to connect to the service via open-source VPN software like OpenVPN. Either way, the software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. A VPN service allows a customer in, say, New York City, to tunnel his traffic through one of several servers around the world, making it appear to any Web sites that his connection is coming from those servers, not from his ISP in New York. If you just want a VPN provider that will keep your ISP from snooping on your everyday browsing, virtually any provider can do that for you. But if you care about choosing from among VPN providers with integrity and those that provide reliable, comprehensive, trustworthy and affordable offerings, you’re going to want to do your homework before making a selection. And there are plenty of factors to consider. For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers. That’s because affiliate programs often create a perverse incentive for unscrupulous marketers to do things like manufacture phony VPN reviews by the virtual truckload, reviews that are aimed at steering as many people as possible to signing up with the service and earning them commissions. In my admittedly limited experience, this seems to have the effect of funneling search results toward VPN providers which spend a lot of money marketing their offerings and paying for affiliate programs. Also, good luck figuring out who owns and operates many of these companies. Again, from the admittedly few instances in which I’ve attempted to determine exactly who or what is at the helm of a specific VPN provider, I can say that this has not been a particularly fruitful endeavor. My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash). Many VPN providers claim they keep zero records of customer activity. However, this is almost always untrue if you take the time to read the fine print. Also, some VPN services can’t truthfully make this claim because they merely resell network services offered by third-parties. Providers that are honest and up-front about what information they collect and keep and for how long carry more weight in my book. Most VPN providers will keep basic information about their customers, including any information supplied at the creation of the account, as well as the true Internet address of the customer and the times that customers connect and disconnect from the service. I’ve found that VPN providers which collect the minimum amount of information about their customers also tend to offer little or no customer support. This isn’t necessarily a bad thing, especially if you know what you’re doing and don’t need or want a lot of hand-holding. For my part, I would avoid any VPN provider which asks for personal information that isn’t required by the form of payment I choose. Then there are more practical, day-to-day considerations that may have little to do with privacy and anonymity. For example, some VPN providers pay a great deal of attention to privacy and security, but may not offer a huge number of servers and locations to chose from. This can present issues for people who frequently watch streaming video services that are restricted for use in specific countries. Other VPN providers may offer an impressive range of countries and/or states to chose from, but do not provide fast enough speeds to reliably satisfy data-intensive applications, such as streaming video. These are only some of the many factors that are important to weigh when selecting a VPN provider. I asked my favorite source for online privacy — the Electronic Frontier Foundation (EFF) — if they had any recommendations for VPN providers. Alas, their press folks told me the EFF has not yet sought to vet the claims made by various VPN companies. Instead, their media folks referred me to this site, which covers many of the concerns raised in this post in greater detail, and includes what appear to be fairly straightforward reviews and side-by-side comparisons of many popular VPN services. For personal privacy reasons, I’m not interested in sharing the name of the VPN service that I’ve paid for and trusted for years. But I can say with some gratification that they are one of the highest rated (greens almost across the board) providers listed here. A quick note about “free VPN” services. Just as with “free” services like Facebook and Gmail, it’s important to know that with free VPN services you probably aren’t so much the customer as the product. Operating a business like a VPN service takes considerable effort and cost, and it’s very likely that anyone operating a free VPN service is also somehow monetizing your use of their service in some way — probably in an way that may be at odds with your reason for using the service in the first place. Alternatively, if you’re looking for a free option, consider using Tor instead. Short for “The Onion Router,” Tor takes your communications and bounces them through a series of layers or “relays” around the globe, encrypting your data at every hop. The practical and privacy limitations of Tor are explained rather succinctly in this story at How-to Geek, but many of the traditional concerns about Tor are mitigated by the technical limitations that ship with the current Tor Browser Bundle. For most users, the principal drawback of Tor versus paid VPN services is that Tor is likely to be far slower than your average VPN (although, to be fair Tor has gotten quite a bit faster in recent years). Finally, from the read-my-mind department, I fell asleep last night ruminating over what a grass-roots effort to lawfully and publicly resist this move by Congress might look like, and briefly considered that someone could even set up a site that would offer to purchase the Internet browsing records of the top lawmakers who voted for repealing the FCC rules (should those records ever go on sale by the major broadband providers). Incredibly, I awoke this morning to an email from a reader about exactly such an experiment — searchinternethistory.com — which has raised more than $170,000 so far toward a $1 million goal via GoFundMe. As cathartic as this effort may be, I can’t recommend supporting it financially. However, if you’re in a generous mood I would wholeheartedly recommend supporting groups like the EFF, which orchestrates efforts to educate lawmakers on important technology policy issues and — failing that — to derail and sometimes overturn bone-headed policy moves in Washington, D.C. that endanger our security and privacy. KrebsOnSecurity supports the EFF with four-figure donations each year, and I would encourage anyone with the means and interest to likewise support the work of this important organization. Author’s note: On any given week, I probably remove a dozen or so comments from people who appear to be shilling for various VPN providers. Any comments to that effect on this post will be similarly deleted without hesitation or explanation. Tags: DNS leak, eff, Electronic Frontier Foundation, IPv6 leak, President Trump, searchinternethistory.com, Tor, virtual private network, vpn
You can skip to the end and leave a comment. Pinging is currently not allowed. The post Post-FCC Privacy Rules, Should You VPN? appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/post-fcc-privacy-rules-should-you-vpn/ Virtual private networks have many uses. Typically, businesses deploy VPNs so employees can securely access the corporate network from outside the office. However, we’ve seen a rise in third-party VPN services that use the same underlying technology, the encrypted tunnel, to simply provide a secure Internet connection. Why would you ever need to do this? When connected to a VPN service, the websites you access think you’re at the location where the VPN server is located. This can help anonymize your Internet traffic so it’s much harder for websites to track your personal browsing history. This also allows you to access websites, services, and content that’s restricted where you are currently located, such as Netflix or Hulu when traveling overseas. Additionally, your Internet traffic would be encrypted when you’re on unsecured Wi-Fi networks, such as public hotspots. This prevents local eavesdroppers from capturing your browsing history and logins. We evaluated seven third-party VPN services you could utilize for anonymizing your Internet activity, accessing geographic-restricted services, or securing your Wi-Fi hotspot connections. Net results
Here are the individual reviews: Avast SecureLineSecureLine is one of the many security solutions provided by Avast, known mostly for its free antivirus. SecureLine VPN isn’t free, but they do provide a seven-day free trial. Unlike most of the other services in this review, SecureLine licensing and pricing varies between platforms. Pricing starts at $7.99 per month for one PC or Mac, $2.59 per month for one Android device, and $2.99 per month for one iOS device. For businesses, it’s $5 per device per month via their managed services solution. We installed the SecureLine Windows application, version 1.0.244. A notification icon in the system tray of Windows lets you know if it’s connected or not. You can right-click the icon to quickly connect or disconnect, or left-click to bring up the application. The app is small and very simple. Under the connection status is the connect/disconnect button. You can either quickly hit the Connect button to utilize the nearest VPN location or click the down arrow to select one of 18 countries. Unlike most other services we reviewed, you can’t change locations while connected. You must disconnect and choose another location. The only other button is the settings shortcut in the lower-right corner. There you can choose what SecureLine should do when connecting to an unsecured Wi-Fi network, which could be to offer to connect or to auto-connect. On our Android device, we installed the Avast SecureLine app, version 1.0.7704. By default, you only see a status icon for the app on the status bar of Android and on the notification drawer when you’re connected to the service. However, you can optionally enable the icon and notification to be present when disconnected as well. The Android app is also very simple. Under the connection status, you can optionally select a particular VPN location, and on the bottom of the app is the connect/disconnect button. However, unlike the Windows application, you can change the VPN location while connected. You can open the app menu via the shortcut in the upper-right, where you can access the settings and connection rules. You can customize the notification settings. Conveniently, by default the app will alert you to connect to the service before you connect to any unsecured Wi-Fi network. Furthermore, you can utilize their connection rules functionality if you want the app to connect or ask to connect to a specified VPN location. There’s no shortcut to any help or documentation within the Android app or Windows application, but it really isn’t needed given how simple the apps and service are. F-Secure Freedome VPNFreedome VPN is from F-Secure, which provides antivirus and other security solutions for computers and mobile devices. There’s a 14-day free trial. After that pricing starts at $49.99 per year, supporting up to three simultaneous devices. There are additional pricing options that include support for up to five and seven simultaneous devices. Additionally, they offer Freedome in their business solutions, which is manageable via their Protection Service Portal. We evaluated version 1.0.2246.0 of the Freedome Windows application. It includes a notification icon in the system tray of Windows, which is gray when not connected to the VPN service and blue when connected. You can right-click the icon to quickly connect or disconnect or change the VPN location. A normal left click on the icon shows the application. The post Review: Consider VPN services for hotspot protection appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/review-consider-vpn-services-for-hotspot-protection/ The Russian government used “thousands” of internet trolls and bots to spread fake news, in addition to hacking into political campaigns leading up to the 2016 U.S. election, according to one lawmaker. Disinformation spread on social media was designed to raise doubts about the U.S. election and the campaign of Democratic presidential candidate Hillary Clinton, said Senator Mark Warner, a Virginia Democrat. “This Russian propaganda on steroids was designed to poison the national conversation in America,” Warner said Thursday during a Senate hearing on Russian election hacking. The Russian government used “thousands of paid internet trolls” and bots to spread disinformation on social media. The groups spreading disinformation appeared to target specific swing states in the weeks leading up to the U.S. election, Warner said. He questioned whether Russian operatives would have that level of U.S. elections expertise without outside help. Most members of the Senate Intelligence Committee expressed little doubt that Russia tried to influence the U.S. presidential election through hacking and the spread of disinformation. Senators from both parties promised to investigate alleged ties between President Donald Trump’s campaign and the Russian disinformation and hacking efforts. Warner addressed repeated suggestions by Trump that Russian interference in the election is “fake news.” “This is not innuendo or false allegations,” Warner said. “This is not fake news, this is actually what happened to us.” Clinton wasn’t the only presidential candidate targeted by Russia, said Clint Watts, senior fellow at the Foreign Policy Research Institute Program on National Security. Senator Marco Rubio, a Florida Republican, appears to have been targeted during the Republican primary because of his tough stance on Russia, Watts said. Rubio, a member of the Intelligence Committee, confirmed during the hearing that his campaign staffers were targeted last July, after he dropped out of the presidential race, by a hacker using a Russia IP address. Former members of his presidential campaign staff were again targeted on Tuesday by an attempted hack coming from Russia, he said. On Thursday, Russian President Vladimir Putin again denied the allegations that Russia targeted the U.S. election. The allegations are “fictional, illusory and provocations, lies,” Putin said during the annual Arctic Forum in Arkhangelsk, Russia. Witnesses told senators that Russia has been waging disinformation campaigns in the West for decades. The purpose of the recent Russian disinformation campaign is to stir up unrest in Western democracies, to shake their citizens’ faith in their governments and traditional media, and ultimately, to break up NATO and the European Union, said Eugene Rumer, director of the Russia and Eurasia Program at the Carnegie Endowment for International Peace. The Russian disinformation and hacking campaigns were “not a crisis, not something that will pass soon,” Rumer added. “It is the new normal. We will see Russia relying on this toolkit in the months and years to come.” While Russian disinformation campaigns are nothing new, Russian hackers seemed to change their tactics in mid-2014, said Kevin Mandia, CEO of cybersecurity company FireEye. Instead of covering their tracks, they continued their hacking campaigns even after being identified by security researchers, he said. The Russian hackers also began “operating at a scale and scope where you could easily detect them,” Mandia added. During the U.S. election, Russia operatives “left behind more clues and more traces than ever before,” added Thomas Rid, a professor in the Department of War Studies at King’s College London. The Russian disinformation campaign goes even beyond elections, Watts said. An April 2014 petition on the U.S. White House website demanded the country give Alaska back to Russia. The petition generated 39,000 signatures in a short time, with many signatures appearing to come from bots used to push Russian propaganda months earlier, Watts said. Soviet-era disinformation tactics “have been reborn and updated for the modern Russian regime in the digital age,” he said. The post Senator: Russia used 'thousands' of internet trolls during U.S. election appeared first on Gigacycle Computer Recycling News. from https://news.gigacycle.co.uk/senator-russia-used-thousands-of-internet-trolls-during-u-s-election/ |
ABOUT USFree, secure collections for I.T recycling and CESG approved data erasure for individuals, businesses and large-scale projects. I.T Asset Disposal | Computer Recycling | Re-marketing & Cashback | Secure Data Erasure. Archives
May 2017
Categories |