Courtesy Casey Johnston, ArsTechnica
A trio of men may have installed keyloggers at a Nordstrom department store in Florida to skim credit card numbers, reports KrebsOnSecurity. According to a police report, the men plugged standard keyloggers into the backs of cash registers and returned to remove them some days later with the alleged intent to use the information to create fake credit cards.
The keyloggers the thieves used imitate the look and design of PS/2 keyboard connectors, priced around $30-40. They are connected in series with a keyboard cord, between the computer and the keyboard, to intercept data transmitted between the two.
The Aventura, Florida police report states that the Nordstrom has security video footage of the three men entering the store and working as a team. Two distracted the staff while a third cased the registers and back of the computers. The men returned a few hours later and repeated their teamwork scheme, but this time the third man installed the keyloggers. They returned a third time to collect the keyloggers.
Krebs indicated that the keyloggers may not be able to skim data directly from a credit card reader, although some readers do use PS/2 connectors. If connected to the keyboard itself, the keyloggers likely would have been able to capture any credit card numbers typed in directly. A keylogger installed with the keyboard could, in theory, also have been able to capture applications for Nordstrom credit cards, which typically request personal information like names, addresses, birthdates, and social security numbers.
Courtesy Casey Johnston, ArsTechnica
Here’s the dialog you’ll see if you were opted out of search, when Facebook gets around to opting you back in.
If you checked that box saying you don’t want to appear in Facebook search results, get ready: soon, that choice is going away. Facebook announced in a blog post Thursday that it’s removing the ability to opt out of appearing in search results, both for friends and globally, for those who’ve had it enabled.
Facebook actually removed the search opt-out for everyone who didn’t have it enabled early this year, around the time it introduced Graph Search. Now, ten months later, Facebook is giving the boot to anyone who actually cared enough to opt out, referring to the checkbox as an “old search setting.” Facebook claims that less than one percent of users were taking advantage of the feature.
In simpler times, Facebook was smaller and easier to navigate, and everyone had a privacy setting asking “Who can look up your timeline by name?” Now that there are so many profiles that users become confused when they know they have a friend or know someone in a group, but try to find them by search and they don’t appear, says Facebook.
The shifting sands of Facebook privacy settings have become increasingly unreliable; of course Facebook is not beholden to any of its users to protect them from much of anything, and anyone who doesn’t like what Facebook is doing can leave. ReadWrite has a good run-through of the privacy settings you may want to survey and tweak. While they still exist, that is.
Courtesy Gregg Keizer, Computerworld
The security researcher who yesterday was awarded $100,000 by Microsoft spent about two weeks pondering, then demonstrating a new way to circumvent Windows’ defensive technologies.
In an interview today, James Forshaw, the head of vulnerability research at U.K.-based Context Information Security, described in the most general terms the work that resulted in the big bounty.
"When Microsoft announced the initial bounties, I first thought about the mitigations I wanted to go over." said Forshaw. "Windows has a lot of mitigating in place, so I started to brainstorm. I asked myself, ‘How would I do it [if I was a cyber criminal]?’"
From start to finish — from those brainstorming sessions to an exploit that proved his mitigation bypass approach worked — Forshaw said he spent about half a month on the project. "From my initial thought to a full working proof of concept was about two weeks," he said.
Forshaw stressed that the two weeks of solid work were atop the years he’s spent in information security, hammering home the point that winning submissions, whether for a bonus program like Microsoft’s or those that browser makers and other vendors run to collect details on specific vulnerabilities, almost always goes to very experienced, long-time researchers.
"This is not something that anyone’s done before, but then again, nothing is completely revolutionary," said Forshaw.
Microsoft echoed that yesterday. In a Tuesday blog post, Katie Moussouris, a senior security strategist with the Microsoft Security Response Center (MSRC), and the manager of the bounty programs, said that a Microsoft engineer had independently found a variant of the attack technique class that Forshaw reported.
"But James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty," wrote Moussouris.
Courtesy Tom Simonite, MIT TechnologyReview
In 2011, General Michael Hayden, who had earlier been director of both the National Security Agency and the Central Intelligence Agency, described the idea of computer hardware with hidden “backdoors” planted by an enemy as “the problem from hell.” This month, news reports based on leaked documents said that the NSA itself has used that tactic, working with U.S. companies to insert secret backdoors into chips and other hardware to aid its surveillance efforts.
That revelation particularly concerned security experts because Hayden’s assessment is widely held to be true. Compromised hardware is difficult, and often impossible, to detect. Hardware can do things such as access data in ways invisible to the software on a computer, even security software. The possibility that computer hardware in use around the world might be littered with NSA backdoors raises the prospect that other nations’ agencies are doing the same thing, or that groups other than the NSA might find and exploit the NSA’s backdoors. Critics of the NSA say the untraceable nature of hardware flaws, and the potential for building them into many systems, also increases the risk that intelligence agencies that place them will be tempted to exceed legal restrictions on surveillance.
“Hardware is like a public good because everybody has to rely on it,” says Simha Sethumadhavan, an associate professor at Columbia University who researches ways to detect backdoors in computer chips. “If hardware is compromised in some way, you lose security in a very fundamental way.”
Despite a few allegations against various governments, there are no publicly confirmed cases of backdoors in computer hardware being deployed. However, in recent years security researchers have repeatedly demonstrated the power and stealth of compromised hardware, mostly by embedding backdoors into the firmware of PC components. One presentation at the Black Hat security conference last year showed off a way to backdoor a new PC so that even switching the hard drive won’t close the door (see “A Computer Infection That Can Never Be Cured”).
Courtesy Wayne Rash, eWeek
There’s a saying about the left hand not knowing what the right had is doing. Nothing illustrates this more clearly than the federal government’s dysfunctional relationship with the Tor browser and the onion router. By now, you’re heard that the National Security Agency is having a tough time unraveling Tor. This bundle of software based on the Firefox browser enables a process in which Internet traffic is routed among a series of routers, each of which adds a layer of encryption and anonymity as it happens. The Tor browser is freely available to anyone who wants to use it, including dissidents in nations with oppressive governments and even child abusers. The problem with Tor from the NSA’s viewpoint is that it works too well. Actually nailing down who’s using it, decrypting what they’re doing, and doing all of that in a timely fashion is driving the NSA crazy. So, naturally, you have to ask yourself what band of privacy advocates dreamed up this nearly uncrackable communications pathway? The answer may surprise you. Tor is the brainchild of the U.S. government. In fact, Tor was invented with the support of the U.S. Naval Research Laboratory, located near Washington, D.C., in suburban Maryland, just inside the Beltway. And yes, this is pretty close to the NSA, which is also located in suburban Maryland, although it’s outside the Beltway. –
Courtesy Joshua Foust, DefenseOne.com
Scientists, engineers and policymakers are all figuring out ways drones can be used better and more smartly, more precise and less damaging to civilians, with longer range and better staying power. One method under development is by increasing autonomy on the drone itself.
Eventually, drones may have the technical ability to make even lethal decisions autonomously: to respond to a programmed set of inputs, select a target and fire their weapons without a human reviewing or checking the result. Yet the idea of the U.S. military deploying a lethal autonomous robot, or LAR, is sparking controversy. Though autonomy might address some of the current downsides of how drones are used, they introduce new downsides policymakers are only just learning to grapple with.
The basic conceit behind a LAR is that it can outperform and outthink a human operator. "If a drone’s system is sophisticated enough, it could be less emotional, more selective and able to provide force in a way that achieves a tactical objective with the least harm," said Purdue University Professor Samuel Liles. "A lethal autonomous robot can aim better, target better, select better, and in general be a better asset with the linked ISR [intelligence, surveillance, and reconnaissance] packages it can run."