NSA Spies With Tracking Cookies

The browser cookies that online businesses use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.

The agency’s use of browser cookies is restricted to tracking specific suspects rather than sifting through vast amounts of user data, theWashington Post reported Tuesday, citing internal documents obtained from former NSA contractor Edward Snowden.

Google’s PREF (for preference) cookies, which the company uses to personalize webpages for Internet users based on their previous browsing habits and preferences, appears to be a particular favorite of the NSA, the Post noted.

PREF cookies don’t store any user identifying information such as user name or email address. But they contain information on a user’s general location, language preference, search engine settings, number of search results to display per page and other data that lets advertisers uniquely identify an individual’s browser.

The Google cookie, and those used by other online companies, can be used by the NSA to track a target user’s browsing habits and to enable remote exploitation of their computers, the Post said.

Documents made available by Snowden do not describe the specific exploits used by the NSA to break into a surveillance target’s computers. Neither do they say how the NSA gains access to the tracking cookies, the Post reported.

It is theorized that one way the NSA could get access to the tracking cookies is to simply ask the companies for them under the authority granted to the agency by the Foreign Intelligence Surveillance Act (FISA).

Separately, the documents leaked by Snowden show that the NSA is also tapping into cell-phone location data gathered and transmitted by makers of mobile applications and operating systems. Google and other Internet companies use the geo-location data transmitted by mobile apps and operating systems to deliver location-aware advertisements and services to mobile users.

However, the NSA is using the same data to track surveillance targets with more precision than was possible with data gathered directly from wireless carriers, the Post noted. The mobile app data, gathered by the NSA under a program codenamed “Happyfoot,” allows the agency to tie Internet addresses to physical locations more precisely than was possible with cell-phone location data.

An NSA division called Tailored Access Operations uses the data gathered from tracking cookies and mobile applications to launch offensive hacking operations against specific target computers, the Post said.

An NSA spokeswoman Wednesday did not comment on the specific details in the Post story but reiterated the agency’s commitment to fulfill its mission of protecting the country against those seeking to do it harm.

“As we’ve said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans and allies,” the spokeswoman said.

The Post’s latest revelations are likely to shine a much-needed spotlight on the extensive tracking and monitoring activities carried out by major Internet companies in order to deliver targeted advertisements to users.

Privacy rights groups have protested such tracking for several years and have sought legislation that would give users more visibility and control over the data that is collected on them by online companies.

Source

Will nVidia’s Tegra 5 Go LTE?

The tradition continues. Our sources are confirming that Nvidia’s Logan SoC, possibly called Tegra 5, doesn’t come with an integrated LTE modem. Just like Apple, Nvidia makes a big fast chip with impressive Kepler based GPU, but it won’t put a an icera LTE solution inside the same chip.

Icera i500 is Tegra 5 compatible and it has AT&T certification. As the launch draws near, it should become compatible with other US and international LTE carriers like Verizon and T-mobile.

This should not be a big issue for Nvidia’s target market, manufacturers will have to choose two chips instead of one, a clear competitive disadvantage compared to future Qualcomm chips with Adreno 400 graphics and updated CPU cores, expected in early 2014.

During Nvidia’s recent conference call, CEO Jen Hsun Huang said devices based on the new Tegra 4i with integrated LTE should be announced in Q1 and ship no later than Q2. Jensen also mentioned that people are going to be “delighted by the OEM that it comes from” which is probably his way of of announcing some big brand design wins, but he also emphasised that the designs will be global rather than US. For US success you need CDMA Jensen said, but as far as we know Verizon is the only company using it.

Since Apple can pull of two chip designs from day one, we can only assume that two chip approach won’t cost much battery life compared to single chip design that has LTE on board (Snapdragon 600 and 800 ed. ). However, Nvidia is likely going to be making bets on its Kepler based GPU, expected to be the fastest graphics core ever integrated in a mobile SoC that will rock tablets and some phones around the world. The fact that Logan is likely to pack very powerful graphics sans on-die LTE makes it a bit more interesting for tablets than phones, which is exactly what we saw with the Tegra 4.

We expect to see Tegra 5 devices announced at CES 2014 so early January and with some luck we might see them shipping very early in 2014.

Source

Did Stuxnet Infect A Russian Nuclear Plant?

Kaspersky has claimed that the infamous Stuxnet computer worm “badly infected” the internal network of an unnamed Russian nuclear plant after it caused chaos in Iran’s nuclear facilities.

Speaking at a keynote presentation given at the Canberra Press Club 2013, Kaspersky CEO Eugene Kaspersky said a staffer at the unnamed nuclear plant informed him of the infection.

“[The staffer said] their nuclear plant network which was disconnected from the internet was badly infected by Stuxnet,” Kaspersky said.

“So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity.”

Stuxnet was discovered to have spread throughout industrial software and equipment in 2010 and is believed to have been created by the United States and Israel to attack Iran’s nuclear facilities. According to Kaspersky’s source, the malware was carried into the Russian nuclear plant and installed on a physically separated “air-gapped” network.

Kaspersky also made a rather outlandish joke during his speech, saying that all data is subject to theft. “All the data is stolen,” Kaspersky said. “At least twice.”

“If the claim of the Russian nuclear plant infection is true, then it’s easy to imagine how this “collateral damage” could have turned into a very serious incident indeed, with obvious diplomatic repercussions,” said security expert Graham Cluley.

“There is no way to independently verify the claim, of course. But it is a fact that Stuxnet managed to infect many computer systems outside of its intended target in Iran,” Cluley added. “Indeed, the very fact that it spread out of control, was what lead to its discovery by security firms.”

Earlier this year, Symantec claimed that the Stuxnet computer worm could date back further than 2010 and was more widespread than originally believed.

Symantec’s report called “The Missing Link” found a build of the Stuxnet attack tool, dubbed Stuxnet 0.5, which it said dated back to 2005 and used different techniques to sabotage industrial facilities.

Source

Adobe Data Found Online

A computer security firm has discovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is much larger than Adobe has so far disclosed and is one of the largest on record.

LastPass, a password security firm, said that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals.

Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier.

The maker of Photoshop and Acrobat software confirmed that LastPass had found records stolen from its data center, but downplayed the significance of the security firm’s findings.

While the new findings from LastPass indicate that the Adobe breach is far bigger than previously known, company spokeswoman Heather Edell said it was not accurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

She said the records include some 25 million records containing invalid email addresses, 18 million with invalid passwords. She added that “a large percentage” of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks.

She also said that the company is continuing to work with law enforcement and outside investigators to determine the cost and scope of the breach, which resulted in the theft of customer data as well as source code to several software titles.

The company has notified some 38 million active Adobe ID users and is now contacting holders of inactive accounts, she said.

Paul Stephens, director of policy and advocacy for the non-profit Privacy Rights Clearinghouse, said information in an inactive database is often useful to criminals.

He said they might use it to engage in “phishing” scams or attempt to figure out passwords using the hints provided for some of the accounts in the database. In some cases, people whose data was exposed might not be aware of it because they have not accessed the out-of-date accounts, he said.

“Potentially it’s the website you’ve forgotten about that poses the greater risk,” he said. “What if somebody set up an account with Adobe ten years ago and forgot about it and they use the same password there that they use on other sites?”

Source

Google Expands Malware Blocker

Google has expanded malware blocking in an early development build of Chrome to sniff out a wider range of threats than the browser already recognizes.

Chrome’s current “Canary” build — the label for very-early versions of the browser, earlier than even Chrome’s Dev channel — will post a warning at the bottom of the window when it detects an attempted download of malicious code.

Features added to the Canary build usually, although not always, eventually make it into the Dev channel — the roughest-edged of the three distributed to users — and from there into the Beta and Stable channels. Google did not spell out a timetable for the expanded malware blocking.

Chrome has included malware blocking for more than two years, since version 12 launched in June 2011, and the functionality was extended in February 2012with Chrome 17.

Chrome is now at version 30.

Canary’s blocking, however, is more aggressive on two fronts: It is more assertive in its alerts and detects more malware forms, including threats that pose as legitimate software and monkey with the browser’s settings.

“Content.exe is malicious, and Chrome has blocked it,” the message in Canary reads. The sole visible option is to click the “Dismiss” button, which makes the warning vanish. The only additional option, and that only after another click, is to “Learn more,” which leads to yet another warning.

In Canary, there is no way for the user to contradict the malware blocking.

That’s different than in the current Stable build of Chrome, which relies on a message that says, “This file is malicious. Are you sure you want to continue?” and gives the user a choice between tossing the downloaded file or saving it anyway.

As it has for some time, Chrome will show such warnings on select file extensions, primarily “.exe,” which in Windows denotes an executable file, and “.msi,” an installation package for Windows applications. Canary’s expansion, said Google, also warns when the user tries to download some less obvious threats, including payloads masquerading as legitimate software — it cited screen savers and video plug-ins in a  blog posting — that hijack browser settings to silently change the home page or insert ads into websites to monetize the malware.

Google’s malware blocking is part of its Safe Browsing API (application programming interface) and service, which Chrome, Apple’s Safari and Mozilla’s Firefox all access to warn customers of potentially dangerous websites before they reach them.

In Chrome’s case, the malware warning stems not only from the Safe Browsing “blacklist” of dodgy websites, but according to NSS Labs, a security software testing company, also from the Content Agnostic Malware Protection (CAMP) technology that Google has baked into its implementation of Safe Browsing.

Source

Raspberry PI Breaks Record

Sinclair ZX80 and runaway success story, the Raspberry Pi might be about to get its own monitor after a Kickstarter campaign to create a low cost 9in screen for it has exceeded its $90,000 goal in a single weekend.

The HDMIPi monitor from startup Raspi.tv presently stands at $100,996 on Kickstarter, an increase of $8,000 in just the last four hours. The concept behind the monitor is to create something small and affordable but with maximum 1920×1080 resolution. Even though the project has had to scale down its ambitions to 1200×800 resolution to fit the business plan, Raspberry Pi fans have flocked to crowdfund the device.

Put in perspective, that’s higher than HD 720p resolution, or as they describe it, “slightly better resolution than the 720p HD footage on BBC iPlayer”.

Monitor cases will be available in a variety of colours, designed by none other than Paul Beech, who designed the original Raspberry Pi logo.

Although primarily designed for the Raspberry Pi, the HDMIPi is a standard HDMI monitor and can be used for other devices – Android sticks, video cameras, games consoles and beyond.

Raspi.tv has pledged to ship orders in February 2014, delays permitting, and is already working on enhancements. It has described touch functionality as something that might become available as a bolt-on at a later date, saying that “enough people have mentioned it that we are sitting up and taking notice”.

As ever with the Raspberry Pi ecosystem, everything is a bit Ryanair, and power supplies, surrounds and so on are not automatically included, though of course, in the true DIY spirit, you can always make your own.

Source

Africa To Lead Global Bandwidth Demand

Africa’s demand for Internet access to the rest of the world will grow by an average of 51 percent every year until 2019, ahead of all other regions, according to a forecast by research company Telegeography.

Rapid economic growth and wider Internet use will drive the increase in demand, which will be met mostly by turning on unused capacity in existing cables, according to Telegeography analyst Erik Kreifeldt. Terrestrial links are in demand partly because much of Africa still relies on satellite, which is far more expensive per bit than wired broadband, he said.

Most Internet bandwidth between continents is provided by undersea cables built and financed by groups of service providers. From Africa, most of those links go to Europe. Other carriers pay to tap into those cables and link their customers to the Internet. In some parts of Africa, running cables from coastal areas to the interior is a challenge so satellite remains the major Internet source, Kreifeldt said.

The capacity of international cables landing on African shores is just a fraction of the bandwidth available between Europe, the U.S. and Asia. After seven years of the growth that Telegeography forecasts, from 2012 through 2019, Africa will have 17.2Tbps (bits per second) of links to the outside world. That’s up from just 957Gbps in 2012 but will still be only about one-quarter of the international capacity of Latin America and less than that of Canada, according to Telegeography.

The hunger for the Internet varies among African countries. Through 2019, bandwidth demand is expected to grow fastest in Angola, at 71 percent per year; Tanzania, at 68 percent; and Gabon, at 67 percent.

Many new cables have been built to Africa and around the continent in the past several years, giving service providers excess fiber capacity that can be turned on when needed, Kreifeldt said. As that fiber gets lit up and supply rises, prices should fall for enterprises and other users in African countries, he said. However, due to relative scarcity, a given amount of bandwidth between Africa and Europe costs about 10 times as much as the same size connection between Europe and North America, he said. Africa’s bandwidth gains aren’t expected to shrink that gap.

Source

Does Intel Need Help?

As time runs out for Intel to bring its Internet-based TV service by the end of the year, the outfit has approached Samsung and Amazon to ask them to lend a hand. Intel has asked about providing funding and distribution for the service. It looks like the set-top box project could be scrapped if a strategic partner isn’t found soon.

OnCue was supposed to allow users to watch live TV, on demand, and other offerings. Intel said it would provide the hardware and services directly to consumers and that the box would come with a camera that can detect who is in front of the TV. More than 300 engineers are working on the project under Erik Huggers, the head of Intel Media. A version of the service running on Intel hardware is testing with 3,000 Intel employees. Goodness knows what content they are running. Intel is having difficulty getting content deals.

Intel has yet to announce any TV programming partners, and Time Warner Cable and other cable TV providers have been pressuring channel owners to shun pacts with Intel and other Internet-based TV providers. Samsung, which ships millions of smart TVs, could distribute the service as a bundle, while Amazon could provide access to its growing library of movies and TV shows.

Source

More OEM’s Seeking nVidia

As expected and announced, Zotac has now “joined the mobile gaming revolution” with the new Tegra Note 7 tablet and will be one of a handful of Nvidia partners that will sell it in both Europe and Asia-Pacific region for US $199.

In case you missed it yesterday when it was officially unveiled by Nvidia, the Nvidia Tegra Note 7 is based around a 7-inch 1280×800 IPS display and powered by Nvidia’s own Tegra 4 SoC with quad-core Cortex-A15 CPU and 72-core Geforce GPU paired up with 1GB of memory. It also packs some neat features exclusive to Nvidia, including a stylus with Nvidia DirectStylus technology as well as the 5-megapixel rear main camera backed by Chimera computational photography architecture revealed earlier by Nvidia. The camera will have support for both HDR as well as slow-motion video.

Unfortunately, Zotac did not announce the precise launch date so we are still stuck with Nvidia’s October time-frame and we are still to see the price of the new Tegra Note 7 in Europe.

Source

Apple Hacked

A group of German hackers claimed to have successfully breached the iPhone fingerprint scanner on Sunday, just two days after Apple Inc debuted the technology that it promises will better protect devices from criminals and snoopers seeking access.

If the claim is verified, it will be embarrassing for Apple which is betting on the scanner to set its smartphone apart from new models of Samsung Electronics Co Ltd and others running the Android operating system of Google Inc.

Two prominent iPhone security experts told Reuters that they believed the German group, known as the Chaos Computing Club, or CCC, had succeeded in defeating Apple’s Touch ID, though they had not personally replicated the work.

One of them, Charlie Miller, co-author of the iOS Hacker’s Handbook, described the work as “a complete break” of Touch ID security. “It certainly opens up a new possibility for attackers.”

Apple representatives did not respond to requests for comment.

CCC, one the world’s largest and most respected hacking groups, posted a video on its website that appeared to show somebody accessing an iPhone 5S with a fabricated print. The site described how members of its biometrics team had cracked the new fingerprint reader, one of the few major high-tech features added to the latest version of the iPhone.

The group said they targeted Touch ID to knock down reports about its “marvels,” which suggested it would be difficult to crack.

“Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” a hacker named Starbug was quoted as saying on the CCC’s site.

The group said it defeated Touch ID by photographing the fingerprint of an iPhone’s user, then printing it on to a transparent sheet, which it used to create a mold for a “fake finger.”

CCC said similar processes have been used to crack “the vast majority” of fingerprint sensors on the market.

“I think it’s legit,” said Dino Dai Zovi,” another co-author of the iOS Hacker’s Handbook. “The CCC doesn’t fool around or over-hype, especially when they are trying to make a political point.”

Touch ID, which was only introduced on the top-of-the-line iPhone 5S, lets users unlock their devices or make purchases on iTunes by simply pressing their finger on the home button. It uses a sapphire crystal sensor embedded in the button.

Data used for verification is encrypted and stored in a secure enclave of the phone’s A7 processor chip.

Two security experts who sponsored an impromptu competition offering cash and other prizes to the first hackers who cracked the iPhone said they had reviewed the information posted on the CCC website, but wanted more documentation.

“We are simply awaiting a full video documentation and walk through of the process that they have claimed,” said mobile security researcher Nick DePetrillo, who started the contest with another security expert, Robert Graham. “When they deliver that video we will review it.”

The two of them each put up $100 toward a prize for the contest winner, then set up a website inviting others to contribute. While the booty now includes more than $13,000 in cash, it was not clear that the CCC would receive the full payout, even if DePetrillo and Graham declared them winners.

Source

« Previous Page — Next Page »