Monthly Archives: August 2014

Amazon’s Same-Day Delivery service is expanding again, the company has announced, and will now be arriving in a half-dozen more cities and metro areas, including Baltimore, Dallas, Indianapolis, New York City, Philadelphia, and the D.C. metro area. Amazon Prime customers in these markets, and others that already have access to the “Get It Today” option, are able to order select items by noon in order to receive delivery the same day for a $5.99 additional fee.

Amazon’s Same-Day Delivery service runs seven days a week, and includes things like movies, video games, travel needs, school supplies, family necessities, and more. In the supported markets, customers can filter to see just the “Get It Today” items using an option on the Amazon.com’s homepage left-hand navigation panel. For those who miss the cutoff, a “Get It by Tomorrow” filter can also come in handy, the company notes.

This most recent expansion comes on the heels of the service’s arrival in San Francisco, which took place in May, indicating what appears to be a fairly speedy rollout of this service across the U.S. Same-day delivery is also being offered in L.A., Phoenix, and the Seattle metro area. The Wall St. Journal previously announced the Dallas expansion back in May, as well.

In May, Amazon expanded the ordering hours, too. In previous tests, Amazon had been requiring orders placed by 9:30 AM. The change shows that not only is Amazon able to ramp up new markets quickly for this service, it seems, it’s also figuring out the logistics to make it something that’s actually fairly usable for Amazon customers.

Although the service is priced more attractively for Amazon Prime customers, unlike a number of Prime benefits, Same-Day is not limited to those paying annually for the Prime membership. For those who are not in program, Same-Day Delivery pricing is $9.98 for the first item, then $0.99 for each additional item they order through this service. “More than a million” items are eligible for Same-Day Delivery, the company now says.

Amazon’s Same-Day Delivery Service Area Outpaces Competitors

Amazon’s sped-up delivery times offered through this service fit into a larger trend where consumers are demanding instant gratification when shopping online or on-the-go. While mobile apps like Uber have popularized the market for push-button, on-demand services – in Uber’s case, transportation via black cars or taxis – a number of commerce competitors have been testing the waters with same-day deliveries and store-pickups, when delivery is not feasible.

Ebay, for example, also offers same-day delivery in select markets through Ebay Now, including San Francisco, San Jose, the San Francisco peninsula, New York, Chicago, and more recently, Dallas.

Meanwhile, Google Shopping Express offers same-day service to San Francisco, San Jose, the San Francisco peninsula, New York (Manhattan only), West L.A. and parts of Northern California.

Wal-Mart, of course, has been testing same-day delivery, including grocery delivery, for years now, with same-day delivery of general merchandise available in Northern Virginia (outside D.C.), Philadelphia, Minneapolis, San Jose and San Francisco, while tests of grocery delivery have been underway in San Jose, San Francisco, and Denver – the latter of which also recently began testing same-day grocery pickups at the store, as an alternative.

Target rolled out same-day pickup to its stores, as well, including select (but not fresh or frozen) grocery items, and it’s experimenting with same-day delivery in Boston, Miami, and Minneapolis.

Same-day delivery at Amazon, doesn’t include groceries. Here, the company is moving more slowly, since the service involves shipping fresh produce, meats and frozen foods quickly. The company began experimenting with grocery delivery through Amazon Fresh in Seattle as far back as 2007. Now it serves parts of California, too.

Via: techcrunch

Microsoft released nine security updates to resolve 37 Common Vulnerabilities & Exposures in SQL Server, OneNote, SharePoint, .NET, Windows and Internet Explorer.

Microsoft released nine security patches, but “Patch Tuesday” is apparently too quaint of a phrase and will be no more, according to Microsoft’s Brandon LeBlanc. It’s still on the second Tuesday of each month, but it’s been renamed “Update Tuesday” so Microsoft can deliver security patches along with new OS features.

“Rather than waiting for months and bundling together a bunch of improvements into a larger update as we did for the Windows 8.1 Update, customers can expect that we’ll use our already existing monthly update process to deliver more frequent improvements along with the security updates normally provided as part of ‘Update Tuesday’.” Oh, and you can also forget about Windows 8.1 Update 2 as LeBlanc said it’s not being released.

Patches rated Critical

MS14-051 should be top on your list for deployment, as it is rated critical for all currently supported versions of Internet Explorer. The patch resolves one publicly disclosed and 25 privately reported vulnerabilities in IE. The most severe vulnerability could allow remote code execution (RCE) if an attacker were to get a user to visit a maliciously crafted site.

MS14-043 is another RCE vulnerability fix, but for Windows Media Center this time. “The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that invokes Windows Media Center resources.”

Patches rated Important

Although rated as “important,” Microsoft advised this RCE bug fix to also be a top priority for deployment. MS14-048 fixes a privately report flaw in Microsoft OneNote.

Deployment priority two starts with MS14-045, which patches three privately report bugs, including an elevation of privilege (EoP) vulnerability, in Microsoft Windows kernel-mode drivers.

MS14-046 patches one privately reported vulnerability in Microsoft .NET Framework. “The vulnerability could allow security feature bypass if a user visits a specially crafted website. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities.”

MS14-047 is another fix for a security feature bypass flaw in Windows. “The vulnerability could allow security feature bypass if an attacker uses the vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that takes advantage of the ASLR bypass to run arbitrary code.”

Microsoft suggested deploying the next three patches last.

MS14-044 close two holes in Microsoft SQL Server. The more severe vulnerability in SQL Server Master Data Services could allow an attacker to elevate privileges “if a user visits a specially crafter website that injects a client-side script into the user’s instance of IE.”

MS14-049 patches another EoP vulnerability, but in Windows Installer Service this time. “The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.”

MS14-050 fixes a flaw in Microsoft SharePoint Server. “An authenticated attacker who successfully exploited this vulnerability could use a specially crafted app to run arbitrary JavaScript in the context of the user on the current SharePoint site.”

If you still use Internet Explorer 8, that should change after January 12, 2016, as Microsoft said, “Only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.” Beginning January 12, 2016, here’s what Microsoft will support: Windows Vista SP2 and IE 9; Windows Server 2008 SP2 and IE 9; Windows 7 SP1 and IE 11; Windows Server 2008 R2 SP1 and IE 11; Windows 8.1 and IE 11; Windows Server 2012 and IE 10; and Windows Server 2012 R2 and IE 11.

Lastly, in order to deliver a more secure browser, the IE Blog said, “Starting September 9th, Internet Explorer will block out-of-date ActiveX controls.”

Via: networkworld

Amazon founder and CEO Jeff Bezos released his annual letter to shareholders. As is the case every year, it is a tour de force of ideas and initiatives about the customer experience (Amazon Prime), disruptive technology (Fire TV), fast-growing product initiatives (Amazon Web Services), and strategic consistency. (As he does every year, Bezos attached his first letter to shareholders from back in 1997 to underscore the company’s long-term commitments.)

Still, for all these big, cutting-edge innovations, it was a small, pre-existing idea, something that Amazon borrowed from one its subsidiaries, that generated the most public attention. Bezos’s letter unveiled his well-named Pay to Quit program, in which the company offers fulfillment-center employees one-time payments to leave Amazon. Each employee gets the offer once a year. The first time, it’s for $2,000. The offer increases by $1,000 each year after that up to a maximum of $5,000.

If Pay to Quit sounds familiar, there’s a reason. The idea was invented several years ago at Zappos, the online retailer based in Las Vegas that has become iconic for its zeal about customer service. Tony Hsieh and his colleagues call their program The Offer, and it’s made as new recruits experience the company’s deep-dive training program. The Offer, which applies to all new Zappos employees, not just front-line service people, started at $100, went to $500, then $1,000, and now stands at one-month’s salary. Amazon bought Zappos back in 2009, and now Jeff Bezos is shipping some of this upstart’s ideas into his behemoth organization.

So what to make of this pay-to-quit boomlet? Why are high-profile innovators like Tony Hsieh and Jeff Bezos making it easy, even attractive, for employees they worked hard to recruit to leave their companies and move on to the next thing?

The first (and most obvious) answer is that unhappy people make for unsuccessful companies. As Bezos notes in his letter, “In the long run, an employee staying somewhere they don’t want to be isn’t healthy for the employee or the company.” This is not, it should be stressed, an indictment of the organization or people who choose to leave. Great companies are great precisely because they stand for something special, different, distinctive. That means, almost by definition, that they are not for everybody. It takes a certain personality type to thrive in the extroverted, almost theatrical, culture of Zappos, or the driven, no-nonsense culture at Amazon. If there isn’t the right fit, it makes perfect sense to quit.

But the more valuable role of these offers may be their impact on the employees who choose to stay. Once a year at Amazon, front-line employees, whose jobs are anything but glamorous, get a chance to sit back, reflect, and choose whether to re-commit to the company and their colleagues. In a sense, Pay to Quit is an annual performance review of the company by its employees: Can I imagine not working in this department, with these people, for this company? It is they who are making the call, they who are choosing not to take the money and run — which creates a deeper sense of engagement and affiliation.

Who can forget the memorable scene in The Godfather, when Michael Corleone explains to his older brother, “It’s not personal, Sonny. It’s strictly business.” (The Corleone’s, of course, had different techniques for persuading colleagues to, ahem, leave the organization.)  The spirit of enterprise today, the energy that makes great companies tick, is precisely the opposite of that much-quoted piece of management wisdom.

Work is personal. That’s the driving force behind the truly great companies I’ve gotten to know, an unshakable sense that a company’s capacity to create economic value for its customers connects directly to its ability to create a sense of meaning and camaraderie for its people at every level of the organization.

And that, I’d argue, is the real takeaway of these programs for leaders in other companies, whether they choose to implement some version of them or not. With all the threats and challenges and competitors in the world, so many of the business leaders I meet focus on the age-old question: What keeps you up at night? What are the problems and worries that nag at you? But the much more powerful question, especially for people on the front-lines of business is: What gets you up in the morning? What keeps everyone more committed than ever, more engaged than ever, more excited than ever, even as the competitive environment gets tougher than ever?

Sure, the most successful innovators think differently from everyone else — Hsieh and Bezos personify that mindset. But the most successful companies care more than everyone else — about customers, about colleagues, about how the organization conducts itself in a world with endless opportunities to cut corners and compromise on values.  You can’t be special, distinctive, compelling in the marketplace unless you’ve built something special, distinctive, compelling in the workplace. Your strategy is your culture, your culture is your strategy.

Here are the questions that matter: How engaged are people at every level of the organization in the company and their work — how personally do they take things? How much money would it take to persuade them to leave the organization? And, in the spirit of The Godfather, what are you doing to make sure Pay to Quit is an offer they can refuse?

Via: hbr

Microsoft said that Internet Explorer (IE) will begin blocking out-of-date ActiveX controls — the browser’s proprietary plug-in format — when the company updates the versions that run on Windows 7 and Windows 8 next week.

In a blog post, a pair of Microsoft managers said that IE8, IE9, IE10 and IE11 on Windows 7, as well as IE10 and IE11 on Windows 8’s classic desktop, will be refreshed next Tuesday. The updated browser will then display a notification when a website tries to load an outmoded ActiveX control.

Initially, IE will only block outdated versions of Java.

“It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or let someone else control your computer remotely,” Fred Pullen, a senior product manager for IE, and Jasika Bawa, a program manager from Microsoft’s security team, said in the Wednesday blog.

When IE encounters an obsolete Java ActiveX control, the warning will let users choose between ignoring the alert, thus running the control, or updating the Java plug-in. Clicking on the “Update” button will direct the browser to the control vendor’s website to download the newest version.

IT administrators will have several new Group Policy settings to manage IE on workers’ PCs, including one that turns off the warning altogether and another that deletes the “Run this time” button and so prevents employees from overriding the notification.

After Tuesday, IE will block all but the current versions of Java. For Java 8, that means a warning will appear if the browser’s running any version except for Java SE 8 Update 11, which Oracle released in mid-July.

Although Microsoft is starting with Java — which has long been targeted by cyber criminals because of a glut of vulnerabilities, but also because users typically run outdated versions — it promised to expand the blocking program.

“We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list,” said Pullen and Bawa. They did not elaborate on what other plug-ins would be blocked, however, or hint at any timetable.

Microsoft is behind its browser-making rivals on locking out, or at least warning users of, outdated plug-ins. Apple’s Safari, Google’s Chrome and Mozilla’s Firefox all have implemented some form of blocking of old, and potentially less-secure plug-ins.

(Microsoft calls its plug-ins “ActiveX controls,” named after the company’s own ActiveX technology, but they serve the same purpose as the plug-ins that work with other browsers.)

Some browsers have also taken the next step and banned plug-ins either entirely or very aggressively. Firefox 26, for example, which launched last December, put Java behind a “click-to-play” wall, requiring users to explicitly approve any execution of the plug-in, even it is current.

In November 2013, Chrome began blocking nearly all plug-ins written in the decades-old NPAPI (Netscape Plug-in Application Programming Interface) architecture.

And Apple regularly updates its block list of outdated Java and Flash plug-ins used by Safari, a practice begun in 2012.

Microsoft will update IE to block out-of-date Java ActiveX controls on Aug. 12, its monthly “Patch Tuesday,” the day it issues security updates for Windows, IE, Office and its other software.

After an Aug. 12 update, Internet Explorer versions 8 through 11 on Windows 7 and Windows 8 will pop up warnings when an outdated version of the Java ActiveX control is called up by a Web page.

Via: networkworld

When we were kids it seemed like Christmas was always so far away. The older we get, the faster time seems to fly by. For many organizations that were granted a one year grace period for compliance with the Omnibus HIPAA Final Rule regarding Business Associate Agreements (BAAs), the last year may have gone by much faster than you expected.

Effective September 23, 2013, all BAAs were required to comply with new requirements of the Final Rule. However, a one-year grace period was granted for:

• BAAs that were in place prior to the January 25, 2013 publication date,
  
• compliant with prior HIPAA provisions, and
  
• were not renewed or modified between the March 26, 2013 effective date and the September 23, 2013 compliance deadline.
  

This grace period (applicable only to the requirement to amend contracts) is set to expire on September 22, 2014.

In effect, the much publicized September 2013 compliance deadline of the Omnibus Final Rule only applied to agreements created after January 25, 2013 or renewed/modified between April 26 and September 23, 2013. Therefore, many agreements made prior to January 2013 have not yet been required to comply. The September 22, 2014 deadline may actually apply to many more organizations than the Rule’s stated 2013 deadline.

If your organization has been operating under a BAA that was grandfathered in under this provision, your final deadline is now just a few weeks away. Here’s what you need to know…

Who is a Business Associate?

According to HIPAA Regulations, a Business Associate (BA) is defined as:

A person, partnership, corporation, professional association, or other entity who creates, receives, or transmits PHI on behalf of a Covered Entity (CE) or who provides services to or for the CE involving the disclosure of PHI.

This revised definition of a BA from the Final Rule includes:

• Health Information Organizations,
  
• e-Prescribing Gateways,
  
• PHR vendors providing services on behalf of a CE,
  
• Any entity who provides data transmission services to a CE involving PHI and has access to PHI, and
  
• Subcontractors who create, receive, maintain, or transmit PHI on behalf of a BA.
  

Offered in the Resources section of Loricca.com, you can access a helpful checklist for determining who is a Business Associate.

What is Required of a Business Associate?

Ultimately, under the Final Rule, a BA must comply with specific provisions of the Privacy Rule and Security Rule requirements the same as a CE. The CE is responsible for requiring any BA that it works with to comply with Privacy Rule obligations related to any functions performed on behalf of the CE.

BAs are now directly liable for HIPAA Rule violations. As the Health and Human Services (HHS) Office of Civil Rights (OCR) prepares to begin a second round of HIPAA audits this fall, BAs as well as CEs will be selected for audits and will be responsible for their compliance with the provisions of the Final Rule. OCR officials have stated that BAs are liable whether or not there is a BAA in place. Additionally, CEs are to be held responsible for violations by BAs and BAs are, in turn, to be held responsible for violations by subcontractors.

What Should be Included in a Business Associate Agreement?

Specific provisions that would be included in any BAA will be dictated by the function of the BA relative to the CE as well as the contractual obligations established for the relationship. However, to be compliant with HITECH provisions, every BAA is also required to specify that the BA (or subcontractor) must:

• Comply with the HIPAA Security Rule.
  
• Report to the CE any breach of unsecured PHI.
  
• Enter into BAAs with subcontractors imposing the same obligations that apply to the BA.
  
• Comply with the HIPAA Privacy Rule to the extent that the BA is carrying out a CE’s Privacy Rule obligations.
  

With the full implementation and the end of the grace period prescribed by the Omnibus HIPAA Final Rule, expectations of BAs are essentially the same as those of CEs. With OCR set to resume audits in the coming months, the scrutiny and potential penalties handed down by OCR will also be shared by BAs.

Via: loricca

Here’s a little-known fact about Amazon’s Prime membership: The company guarantees your package will be delivered at the promised time. If it’s not, Prime members can get a one-month extension of their membership.

As Redditor jeffnnc points out, with the holidays here, chances are greater that the estimated delivery dates will be missed. You have to contact customer support to get the extension, and you can get the extension twelve times in a year.

Those who aren’t Prime members can get the shipping costs refunded by contacting Amazon as well.

Coupled with Amazon’s refund-if-the-price-drops price-matching policy, Amazon really has stellar customer service. Read the fine print on the Prime extension policy below.

Get a Refund If Amazon Drops the Price on an Item You Just Bought

Don’t you hate it when you buy something only to see the price drop a few days later? Well,…Read more

Give these ideas a try if you run into this.

Via: lifehacker

A company known as Zip Phone is making it easier to place secure, Wi-Fi enabled phone calls, in order to save consumers from using up the limited number of cellular minutes that come with their smartphone’s voice plan. That’s a more common problem outside of North America where unlimited calling plans are prevalent, though these consumers can still benefit from Zip Phone while traveling to save on roaming charges.

However, what’s interesting about this startup is how the technology itself is deeply integrated with the Android operating system.

Zip Phone’s founder, Anuj Jain, describes the app as something you just install once, then never look at again. Yes, it’s another one of those “invisible apps” – that is, apps that operate in the background, only kicking off when needed.

Jain, a serial entrepreneur from India who has worked on everything from mobile games for J2ME phones to automated trading platforms and more, came up with the idea for Zip Phone in order to solve a problem he faced when working from a basement office with poor cellular reception.

It’s Better On Android

He wanted more than just a Wi-Fi-powered mobile calling app – there are, of course, many of those – but one that worked seamlessly with the Android OS.

“There are dozens of voice-over-IP applications available, Skype, Viber, and LINE being the big ones,” explains Jain. “What makes Zip Phone different is that it’s just ridiculously easy to use,” he says.

With other applications, if you need to place a call to someone, you have to launch the app, sign in, see who’s online, then dial from the app.

“With Zip Phone, you just need to have it installed on your phone once, and that’s it. My philosophy is that you should never have to look at my app again,” says Jain.

Well, technically, you do need to open it once to get it set up, but what Jain means is that Zip Phone integrates with the Android operating system and then becomes a part of your default calling experience. The app detects when you’re on Wi-Fi and takes over the standard Android dialer when it sees the other person also has the app installed. (The calls can be routed over Wi-Fi or cellular, as need be, so it doesn’t require that both users are connected to Wi-Fi for calls to go through.)

In addition, Zip Phone also offers more secure calling. The app encrypts the calls using a combination of encryption methods (RSA and 256-bit AES encryption) so that no one, including the company itself, can listen in. For each phone call, Zip Phone generates new encryption keys that are never stored on the server or your phone, making it impossible for phone calls to be eavesdropped on, Jain says.

Privacy is a top priority for the company, too, he notes, adding that Zip Phone doesn’t store call logs or ask for any other information besides your phone number in order to work.

iOS Version Arrives, But Offers A Different Experience

Though Zip Phone makes the most sense on Android, where it can burrow its way into the operating system, to be a more complete solution, the company has now launched an iOS port, which operates in a more traditional manner – an app you have to launch in order to place your calls.

Jain declined to say how many users Zip Phone has, but Google Play is showing between 10,000 and 50,000 installs. But the founder would say that installs have doubled since joining Y Combinator in June, where they’ve since rebuilt, redesigned and rebranded the app. (It used to be called Awaaz.)

Jain is the sole founder at the small, two-person company, and hasn’t raised outside funding beyond the YC investment.

Via: techcrunch

In return for free, “no-rush” shipping, Prime users can score a $1 toward an Amazon Instant video.

Screenshot by Lance Whitney/CNET

Amazon Prime subscribers who don’t need an item right away can now opt to delay the shipping time in exchange for a credit toward a video.

In the past, Prime members trying to purchase an item would see a few choices, such as free standard shipping, free two-day shipping, and one-day shipping at an extra cost. Now a new option has appeared: “Free No-Rush Shipping (5-7 business days).”

In return for waiting the extra few days, a Prime buyer gets a $1 credit good toward an Amazon Instant video. That means you can save a buck if you want to buy or rent an instant video that is not free for Prime subscribers. That may not sound like the greatest deal, but with many rentals going for $1.99 or $2.99, it shaves a bit off the price.

One of the major features of Amazon Prime is free two-day shipping on many products. So why would Amazon play around with such a key benefit? The likely culprit is shipping costs. In March, Amazon raised the annual price tag of its Prime subscription to $99 from $79. In explaining the price boost, the retailer said it had never raised prices on the service despite increased fuel and transportation costs. Shipping costs will continue to rise, and the company can’t justify another price increase. So it is trying to find more palatable and flexible ways to trim expenses.

Amazon is also spending more money to enhance its Prime service overall. The company has moved more intently into original programming as a way to compete with Netflix. It also recently unveiled a new service called Amazon Music through which Prime members can stream and listen to more than 1 million songs.

The retail giant has been branching out with other products as well with the recent launch of its Fire TV and Fire Phone. A new service called Kindle Unlimited offers more than 600,000 Kindle e-books and thousands of Audible audiobooks as all-you-can-consume for $9.99 a month.

But the spending on all those new products and services appears to be taking their toll on the company’s financials. Last Thursday, Amazon reported a second-quarter loss of $126 million, considerably deeper than the $7 million loss in the same quarter last year.

One strategy that the company hopes will pay off is integration among the various products and services. For example, Amazon is positioning its new phone not just as a smartphone but as an entry into its online shopping site through which Fire buyers will have easy access to its virtual shelves

Via: cnet

US courts are forcing the FBI to justify drive-by downloads of spyware onto the computers of people visiting child porn sites hidden on Tor.

Tor, a free, open-source program, bestows online anonymity via a circuit of multilayered, encrypted connections routed through a worldwide volunteer network of servers.

It can be used to conceal the the network location of both users and services so that neither knows where the other is.

Tor is popular with anyone who wants to remain unseen and unnoticed – from terrorists and buyers or sellers of drugs to political activists and journalists who fear for their safety.

The FBI has in the past blamed Tor for stymying child abuse investigations.

In fact, the US’s efforts to break Tor were revealed by Edward Snowden’s NSA leaks, which showed that the government has vigorously tried to unmask Tor users.

But at least in this case, Tor didn’t manage to stymy the FBI at all.

The agency not only cracked an unsecured forum for child abuse images hidden on Tor; they then took over three child porn sites and boobytrapped them with drive-by spyware downloads.

The operation began with an investigation in the Netherlands in August 2011, where national police looking to crack down on the crime of child abuse imagery wrote a web crawler that prowled the Deep Web, siphoning off every Tor address it came across.

They methodically checked out all the hidden addresses the crawler pulled in, determining which were sites devoted to child-abuse images.

If the sites had been hosted on the World Wide Web then the story would end there – the FBI could have identified the sites’ owners and locations quite easily. On the Dark Web those details are tucked away under the anonymising routing layers of the Tor network.

Fortunately one of the sites, going by the stomach-churning moniker “Pedoboard”, had a good old fashioned security problem – an administrator account with no password.

That open door allowed the FBI in to poke around until they found enough clues about the real location of the site to swoop on its owner.

FBI agents in November 2012 arrested Aaron McGrath, whom they identified as the administrator of three websites that advertised and distributed child abuse images.

McGrath was running sites out of the server farm where he worked in Nebraska, along with one server at his home.

Rather than shut the sites down the government booby-trapped them with malware and continued to operate them for three weeks.

Over the course of the investigation, the FBI identified 25 Tor users of child-abuse images sites, from states all over the US.

Now, 14 of the suspects are headed toward trial in Omaha, Nebraska, where courts are mulling whether or not the government’s behaviour followed the rules of search warrants.

Lawyers are arguing for the evidence to be suppressed, given that the FBI concealed its use of the “network investigative technique”, as the agency calls the spyware, or NIT, beyond the allowed 30-day blackout period during which the search warrant allowed the bureau to operate in secret without notifying its targets about the search.

In fact, some defendants didn’t learn about the spyware until a year after it was downloaded—a stark contrast to normal search warrants, in which subjects are normally informed “virtually immediately,” defense lawyer Joseph Gross Jr. told Wired, making this a case of “an egregious violation” of Fourth Amendment prohibitions against unreasonable search, he said.

According to Wired’s Kevin Poulsen, this isn’t the first time the FBI has snagged suspects using spyware.

One example: in 2007, the FBI was searching for a teen who had made bomb threats against a Washington high school.

The agency targeted the teen’s MySpace profile with a spyware program that collected enough information to make any cyber crook drool, including the computer’s IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer’s registered owner and registered company name; the current logged-in user name and the last-visited URL.

After it gathered all that, it settled into silent pen register mode, lurking on the computer and monitoring its internet use, including the IP address of every computer it connected to over a period of 60 days.

Chris Soghoian, principal technologist for the American Civil Liberties Union’s (ACLU’s) Speech, Privacy and Technology Project, told Wired that it’s hard to argue with the use of drive-by downloads in a child porn sting, in which there are no innocents involved.

After all, merely looking at child pornography is a crime, he pointed out, which makes it hard to imagine an innocent having any reason to visit a forum that traffics in such images.

The real worry comes with how the FBI might use the technique more broadly, he said:

“You could easily imagine them using this same technology on everyone who visits a jihadi forum, for example. And there are lots of legitimate reasons for someone to visit a jihadi forum: research, journalism, lawyers defending a case. ACLU attorneys read Inspire Magazine, not because we are particularly interested in the material, but we need to cite stuff in briefs.”

In the current case of the child abuse image suspects, the court so far has not been sympathetic to the arguments that the government acted in bad faith, out of line with search warrant limitations.

US Magistrate Judge Thomas Thalken last week rejected the defense’s motion to suppress evidence, including the implication that the government acted in bad faith.

He wrote:

“The affidavits and warrants were not prepared by some rogue federal agent, but with the assistance of legal counsel at various levels of the Department of Justice.”

The matter now goes to consideration by US District Judge Joseph Bataillon for a final ruling.

I find this to be a moral and civil rights swampland.

The FBI used Tor as a launchpad for what has to be considered malware: software that’s downloaded silently without the consent of the target.

Do the means justify the ends, if the ends are catching child abusers?

Beyond that, this case represents yet another abuse of the anonymising network, which strives to shield people, be they up to good or not, from surveillance and detection.

Until recently, Tor addresses—those so-called hidden services that end in .onion—have been thought to be untraceable.

Well, that may not be the case.

Carnegie-Mellon University researchers had actually planned to give a talk at next week’s Black Hat USA 2014 security conference about how it’s possible to break Tor anonymity using a bargain basement kit that cost less than $3,000 (£1,780).

The talk was cancelled after the university’s lawyers freaked out, but Tor developers last week confirmed that somebody or somebodies has in fact assaulted the anonymising network and may have unmasked the people who run or visit hidden sites.

In this case though the FBI didn’t need to find an architectural flaw in Tor, just the lowest hanging security fruit you can grab: lack of a password for an administrative account.

Via: nakedsecurity

Hackers have amassed a vast collection of stolen data, including 1.2 billion unique username/password pairs, by compromising over 420,000 websites using SQL injection techniques.

That’s according to security monitoring and assessment firm Hold Security, whose past record includes work on uncovering last year’s Adobe source code leak.

Researchers monitored the gang for over seven months, thought to be “fewer than a dozen men in their 20s who know one another personally” based in a small city in central Russia.

They found that the group, working together since at least 2011, had rented time on bot-infected machines around the world, and rather than the more standard techniques of sending masses of spam, distributing malware or monitoring the infected system to catch banking logins, had instead monitored each and every website visited by the compromised host’s user, probing for vulnerabilities to SQL injection attacks.

Vulnerable sites were then plundered for any data they could be tricked into leaking, which was added to the gang’s epic cache.

By the time it was acquired by Hold Security, this amounted to 4.5 billion records, including the 1.2 billion unique login pairs and over half a billion unique email addresses. The data has apparently been verified as genuine by an independent expert at the behest of the New York Times.

SQL injection attacks are one of the most common ways of compromising web-facing systems.

Databases are used by websites to store all sorts of information, including sensitive data like passwords and credit card details.

Because of their sensitivity these databases are not publicly accessible and are only visible to the website that uses them. But if that website is not coded with security in mind attackers can use the website as a go-between that gives them indirect access to the database.

Although this haul is staggeringly large the infrastructure and techniques required to perform the attack are nothing new, according to SophosLabs’ Senior Threat Researcher James Wyke.

A large proportion of all the malware families that we see form some sort of botnet. In fact there are relatively few categories of malware that don’t.

Even those that don’t are often spread through botnets – CryptoLocker was spread via the Gameover Zeus botnet for example.

Botnets themselves can be extremely large. We estimated that the ZeroAccess botnet managed to infect over 9 million machines and the number of Gameover infections was also in the millions.

If you want to understand more about botnets and what they do listen to the TechKnow podcast with James and Naked Security’s Paul Ducklin.

Download to listen offline, or listen on Soundcloud.

The researchers who uncovered the cache of data have described the technique as “possibly the largest security audit ever”.

Of course, the huge numbers will be inflated by the inclusion of expired and throwaway logins, but given the general state of password security it seems inevitable that a pretty large number of people will be at some sort of risk from this mass harvesting.

At the moment, apparently, the gang, which Hold have dubbed “CyberVors” from the Russian for “thief”, are mainly using the data to provide social network spamming services, but it could easily be used for any kind of account hijacking or identity theft in future.

It also seems inevitable that with such a large haul from such a wide range of sites, there will be more than just usernames, passwords and email addresses in there, not least social security numbers and payment card information.

The researchers say they are working through the list of vulnerable sites, informing the owners and urging them to shore themselves up, but with close to half a million to get through that could take some time.

They’re also working on a secure way of allowing people to check the dataset for their own passwords to see if they’ve been compromised.

Hold Security is proud to announce that we will be providing full electronic identity monitoring service to all the individuals within the next 60 days.

That isn’t how these kind of breaches are normally handled, SophosLab’s Principal Virus Researcher Vanja Svajcer explains:

This is quite an unusual approach to remediating an alleged major credentials compromise. For a long time the security industry has freely shared information on breaches within its own community.

Researchers discovering credentials breaches usually help end users either by making the information about compromised accounts public or by working with the company whose servers were compromised … it is reasonable to expect the company to make the information freely available so everybody can check that none of their email addresses have been compromised.

Sixty days is a long time to wait. If you can’t find out if you’re affected what should you do today?

Website users

There is currently no way to tell if you have been affected by any of this. The owners of the affected sites are being informed and hopefully they will tell their users in turn.

Because the sites that were successfully attacked were compromised by easily-avoided vulnerabilities it’s prudent to assume those sites didn’t secure the data in their databases properly either. Even strong passwords are at risk if they aren’t stored correctly.

That means a large, random selection of people have had their personal data compromised and the only reasonable security precaution is to assume you’re one of them. We recommend that you:

• Change your website passwords
  
• Use a unique password for each website
  
• Use two-factor authentication wherever you can
  
• Check bank and social media accounts for suspicious behaviour
  

Website owners

This data haul may yet turn out to be a ‘Heartbleed’ moment for website owners who assume their sites are too small to be of interest to hackers.

The gang that amassed this giant data haul didn’t discriminate between popular or unpopular, large or small. All that mattered was vulnerability.

Fortunately SQL injection attacks are easily defeated by simple coding practices.

We recommend that website owners:

• Install a Web Application Firewall
• Harden your website against SQL injection
• SQL injection prevention tips for web programmers
• Testing for SQL Injection
• Make sure your users’ passwords are stored safely
• Enable your two-factor authentication of users

Via: sophos