Are Your Kids The Latest Target Of Hackers?

The short answer is yes. V-Tech and Hello Kitty join the depressingly long list of companies to have been hacked in 2015. This time, however, the data taken were overwhelmingly about children – their usernames, passwords, addresses, birthdays, photos, and other personal information.

At first glance, you may be wondering why hackers would bother, but there are three major reasons for targeting toy companies. First, they are an easy target. V-tech representatives admit that the company’s security was subpar. Second, children tend to reuse passwords just like adults do, so getting a password for one site may unlock most, if not all the sites that child uses, and of course, some sites require payment for various features to be unlocked, or are purchasing portals, so the child’s information may inadvertently expose a parent’s credit or debit card information.

Third, and perhaps most chillingly, it could well be about the long game. A hacker need only wait until the child is old enough to get a credit card and then steal his or her identity. It’s not like it costs anything to store the data and wait, and given how easy it was to breach V-Tech and Hello Kitty’s security, that’s as good as being handed free money.

There are two tragedies rolled into one here. The first and most obvious is that not even our kids are safe from hackers, and nothing seems sacred to them. The second is that the breach could have been avoided. It’s not like V-Tech or Hello Kitty didn’t have ample warning or ample opportunity to protect themselves against such things. Online tech portals have been screaming from the rooftops all year about the dangers, and outlining the steps companies need to take if they want to be secure. V-Tech and Hello Kitty simply opted to do nothing with the information. That makes it somewhat difficult to feel sorry for them. They got lucky for a while, skating by with minimal security. Looks like their luck ran out. How’s security at your company? If you are unsure, a network audit is probably your best first course of action.

Facebook Revamps News Feed, Annoying Users

Facebook's F8 Developer Conference just days away but the social network has already debuted a new "smarter" News Feed.

For a couple of years now, Facebook has had a two-tabbed News Feed, one with "Top Stories," or updates Facebook thought you'd be interested in (based on your browsing history), while the other tab had the "Most Recent" updates. Facebook has apparently decided to get rid of this two-tabbed interface and integrate users' Top Stories and Most Recent Stories in one big, smart, News Feed.

Now when you log in to Facebook, you'll see a smart News Feed with all of your updates -- both the "important" and recent ones -- in one place. Facebook will still try to determine which stories will most interest you, and will highlight these "top stories" with a pale blue corner.

Facebook says that the top stories will depend on how long it's been since you've logged into Facebook. In other words, if you haven't visited the site in awhile, your top stories may not be extremely recent (rather, Facebook will try to give you an overview of the important stuff that happened when you were gone). But if you just logged in five minutes ago, your top stories will probably all have happened within the last five minutes.

According to Facebook's Updates to News Feed FAQ page, top stories are determined based on a number of factors. These factors include your relationship to the person posting the update, how many comments and likes the update receives, and what type of update it is. You can still hide updates if you think they're boring or spammy (even if they are from your best friend) by hovering over them and clicking the drop-down menu. This menu gives you the option of hiding the story, hiding all posts by that person, and reporting the story as (real) spam.

Facebook's new News Feed has only been live for a few hours, but people are already voicing their annoyance on PCWorld's Facebook page.

"I don't like this update because now it's a bit more confusing to find recent updates," says PCWorld reader Devon Tourond. "I do like the new update they added to the top of the page, now I can scroll through the page and the header follows me."

"FB should have a simple toggle function between 'recent stories' and 'top stories,' " says PCWorld reader Anthony Nozzi. "Better yet, they should enable a user to prioritize their news feeds by assigning a ranking score to each particular page that provides the news feeds. That way, a user can control which pages get the highest priority in providing news feeds."

Facebook's also added a real-time feed in the upper-right corner of the page. Some readers are concerned that this will adversely affect their privacy, but as far as I can see the updates in the box will not share more than can normally be found on a person's private profile page.

Skype iPhone, iPod Touch App Has Security Hole

Skype is working to fix a security hole in its iOS app for the iPhone and iPod Touch that allows a hacker to steal a person’s entire address book. The vulnerability, located in the app’s chat message window, can be exploited with JavaScript code. It was pointed out by security researcher Phil Purviance of AppSec.

"Skype uses a locally stored HTML file to display chat messages from other Skype users, but it fails to properly encode the incoming user’s ‘Full Name,’ allowing an attacker to craft malicious JavaScript code that runs when the victim views the message," Purviance wrote on his blog.

The heart of the problem, according to Purviance, is an improper definition within the Skype app that allows access to a user's local file system. He says the threat is partially mitigated by protections within iOS itself, but the address book remains vulnerable.

Skype appears to be in no hurry to fix the problem. In a tweet, Purviance said he notified Skype of the vulnerability on August 24, and was told that an update addressing the issue would be released in early September.

A statement from Skype confirms that the company is aware of the issue and will fix it "in our next planned release, which we hope to roll out imminently."

You can watch a demonstration of exactly how the exploit works in this video, created by Purviance:

Facial Recognition Technology: Facebook Photo Matching Is Just the Start

As facial recognition tech moves into law enforcement, military use, and targeted advertising, and onto the streets of your town, will your privacy be a casualty?

The Internet was in an uproar earlier this year following Facebook's launch of facial recognition software for its photo services, enabling users to identify their friends in photos automatically--and without their permission. Though critics described that move as creepy, the controversial technology may now be on the verge of widespread use.

For instance, this month a Massachusetts company called BI² Technologies will roll out a handheld facial recognition add-on for the iPhone to 40 law enforcement agencies. The device will allow police to conduct a quick check to see whether a suspect has a criminal record--either by scanning the suspect's iris or taking a photo of the individual's face.

Earlier this week, reports surfaced that the military and Georgia Tech Research Institute had started testing on autonomous aerial drones that could use facial recognition software to identify and attack human targets--in effect, the software performs the assessment that determines who gets killed.

And in yet another development, the Federal Trade Commission announced earlier this week that it will hold a free public workshop on December 8, 2011, to examine various issues related to personal privacy, consumer protection, and facial recognition technology.

[Read: "Facebook Photo Tagging: A Privacy Guide"]

Of course, the government and large private companies have had access to facial recognition software for years. The pressing question today is what happens to privacy when everyone has access to the technology? Already smaller businesses--and even private individuals--are developing sometimes amazing, sometimes very creepy uses for security-focused software.

Tom Cruise encounters facial-recognition-generated ads in a scene from the film Minority Report.In Las Vegas, advertisers have taken a page from Minority Report, the 2002 Tom Cruise movie. The Vegas advertisers use facial recognition to target ads to passers-by. For instance, if a woman in her mid-twenties walks past the advertising kiosk, its built-in software will identify her likely age and gender and then display ads for products deemed appealing to her specific demographic.

Meanwhile, in Chicago, a startup called SceneTap links facial recognition technology to cameras in bars and clubs so that users can figure out which bars have the most desirable (in their opinion) ratio of women to men--before they even arrive.

If you think the corporate implications are unsettling, wait until the general population gets deeply involved in using facial recognition technology. One recent instance: In the wake of the August London riots, a Google group of private citizens called London Riots Facial Recognition emerged with the aim of using publicly available records and facial recognition software to identify rioters for the police as a form of citizen activism (or vigilante justice, depending on how you feel about it). The group finally abandoned its efforts when its experimental facial recognition app yielded disappointing results.

Though the members of London Riots Facial Recognition undoubtedly believed that they were working for the greater good, what happens when people other than concerned citizens get their hands on the technology? It shouldn't take too long for us to find out.

Present-Day Reality Check

The use of facial recognition software by governments and online social networks continues to provide headline fodder. A Boston-area man had his driver's license revoked because when the U.S. Department of Homeland Security ran a facial recognition scan of a database containing the photos of Massachusetts drivers, it flagged the man's license as a possible phony. Afterward it emerged that the system had confused the man's face with someone else's.

Scene from the 2011 London riots.In England, law enforcement officials ran photos of August riot suspects through Scotland Yard's newly updated face-matching program, which is under consideration for use during the 2012 Summer Olympics in the UK. In Canada, an insurance company invited Vancouver police to use its facial recognition software to help identify rioting fans after the Vancouver Canucks hockey team lost the seventh game of the NHL championship series.

And of course Facebook endured a hailstorm of criticism in June when it announced its plans be roll out a facial recognition feature for its members to provide semiautomatic tagging of photos uploaded to the social network.

[Read: "Facebook Facial Recognition: Its Quiet Rise and Dangerous Future"]

One Facebook critic was Eric Schmidt, executive chairman of Google, who said earlier this year that the "surprising accuracy" of existing facial recognition software was "very concerning" to his company and that Google was "unlikely" to build a facial-recognition search system in the future.

Indeed, Google seems to have been so concerned by the technology that Schmidt declined to implement it even though his company already had the know-how to make it. “We built that technology and withheld it,” Schmidt said. “People could use it in a very bad way.”

When Hackers Become the Good Guys

At DefCon III in 1995, the young crowd of 470 spent their time jamming a local radio station broadcast and playing Hacker Jeopardy at midnight when they couldn't drink at the bar. "Free Kevin" stickers were plastered everywhere protesting the jailing of fugitive hacker Kevin Mitnick, and a 14-year-old ran away from home to attend the event. (I know because I was there.)

At DefCon 19 this year, plenty of the nearly 12,000 attendees had gray hair, most work as security professionals, and some even brought their children. Mitnick was there signing copies of his latest book, "Ghost in the Wires," and posing for photographs, before appearing as a guest on "The Colbert Report" last week.

A community is growing and growing up.

In the early years, DefCon founder Jeff Moss used to say "if you're 20 and you're working for The Man, you're a loser," Richard Thieme, author of "Mind Games" and a professional speaker, recounted in his DefCon talk this year and in an interview with CNET afterward. "Ten years ago, Moss said 'if you're 30 and you're not working for The Man, you're a loser.' And now he agreed that at 40 he is The Man.'"

Moss, aka "Dark Tangent," started DefCon in 1993 as a farewell party to a buddy, only to have it become the world's largest hacker conference. He sold off the more commercial Black Hat security conference, which frees him up for public service--he serves on the Homeland Security Advisory Council and was named the chief security officerfor the non-profit Internet Corporation for Assigned Names and Numbers (ICANN) earlier this year.

Another hacker role model who is having a very direct impact on U.S. cyber security policies and funding is Peiter Zatko, who was better known as "Mudge" when he was a member of The Cult of the Dead Cow (CDC) and L0pht hacker groups in the 1990s. He presented at a session on password cracking and holes in Microsoft software at DefCon in 1996. This year, he gave a keynote talk at Black Hat about his plans as program manager for the information innovation office at the Defense Department's DARPA (Defense Advances Research Projects Agency) to fund hacker spaces and small security start-ups.

Read more: http://news.cnet.com/8301-27080_3-20095649-245/when-hackers-become-the-man/#ixzz1WVPoCjyq