*** The Security News Thread ***

[baldrick]

dunno

they could have geolocated and noticed that the haxoring did not start till 10 or 11 in the morning and stopped for an hour in the afternoon when the young and the restless was on the tele

so thus the cnuts were on the dole

[Cujo]

Thought you were going to hack his drop box.

I did ? link ? probably harry asking me some silly challenge so he could share with me his ladyboy porn collection

let me hack your dropbox account, I am sure I would get all your passwords there

and then I will store all my gay porn on your Dropbox,

you will be wanking silly until your death,

https://teakdoor.com/3341469-post175.html

[harrybarracuda]

Just two days after Yahoo! admitted hackers had raided its database of at least 500 million accounts, the Purple Palace is being dragged into court.

Two Yahoo! users in San Diego, California, filed on Friday a class-action claim [PDF] against the troubled web biz: Yahoo! is accused of failing to take due care of sensitive information under the Unfair Competition Act and the state's Consumer Legal Remedies Act, plus negligence for its poor security, and breaking the Federal Stored Communications Act.

The stolen Yahoo! database includes people's names, email addresses, telephone numbers, dates of birth, hashed passwords and encrypted or unencrypted security questions and answers about their personal lives.

“There's a sense of violation,” the plaintiffs' lawyer David Casey, of Casey Gerry Schenk Francavilla Blatt & Penfield, told The Register last night.

“We think they breached their duty of trust to the clients and violated privacy laws. I anticipate hundreds of cases will be filed and then those will be consolidated into one federal class action suit.”

Casey said that at least one of his clients had already seen dodgy activity on their credit card which had been attributed to the attack and another was concerned that their financial and tax data had been viewed by outsiders. The plaintiffs are seeking redress and damages from Yahoo!

The court filing also states that Yahoo!, which is based in Sunnyvale, California, had “unreasonably delayed” telling its customers about the mega-hack. It points out that the incident, which Yahoo! blamed on state-sponsored hackers, occurred back in 2014, and the webmail giant should have detected it sooner and let people know a long time ago.

“There’s a lot of anger over the delay,” Casey said. “The delay is pretty inexplicable.”

While this is the first sueball lobbed at Yahoo!, it is unlikely to be the last. If even a fraction of the 500 million Yahoo! users targeted by hackers take action against the company, and win even a miserly award, the potential costs to the biz could count in the high multi-millions.

Under the circumstances the due diligence team at Verizon, which in July confirmed it wanted to buy Yahoo! for $4.8bn, are going to be recalculating their figures as to the net worth of the Purple Palace. Having such large liabilities hanging over Yahoo! can only depress its value.

Verizon told The Register that it was informed about the hack just a few days in advance of this week's staggering confession – which raises questions in itself. In late July and early August, news articles were circulating warning that stolen Yahoo! customer information was being sold on the dark web. One wonders why Verizon didn’t pick up on this earlier.

One possible theory is that while investigating the 200 million or so account records being touted on underground souks, Yahoo! discovered a separate larger break-in by government-backed hackers – and has only just confirmed that.

In the meantime, legal action will continue to mount in America, the land of the lawsuit. Yahoo! should also expect folks overseas to start lawyering up, too. It’s going to be an expensive Fall for the organization. ®

And! it! begins! Yahoo! sued! over! ultra-hack! of! 500m! accounts! ? The Register



"Casey said that at least one of his clients had already seen dodgy activity on their credit card which had been attributed to the attack and another was concerned that their financial and tax data had been viewed by outsiders."

Tip: You're doing it wrong.

[Neo]

I have seen the future of the Internet: Millions of rogue fridges will render it unusable | Ars Technica UK


A smart fridge that was apparently subverted into showing Pornhub in a US store.


High-resolution pictures and videos may reveal more than you want.

[Neo]

Brace yourselves: Source code powering potent IoT DDoSes just went public | Ars Technica UK

[harrybarracuda]

Sounds like a recipe for utter disaster!

The LG adverts on telly don't do it justice. The LG Internet Refrigerator has the coolest set of features ever seen in the kitchen. It is a 730 litre, stainless-steel, side by side fridge, with an in-built computer which can be accessed via a 37 centimetre touch-screen LCD monitor mounted on the fridge door. Users can watch TV, listen to MP3 music, take and store digital photos, make a video phone call, use the fridge as a message board or surf the web. It also has VCR and DVD ports, a microphone and speakers. Information about food in the fridge can be stored and a map of the fridge allows the owner to keep an inventory of what foods are in each section and how long they have been there.

[harrybarracuda]

If you're wondering what came in your one-size-fits-all Microsoft Update this month:

October 11, 2016
Patch Tuesday: Microsoft patches five zero day vulnerabilities

October's Patch Tuesday is the first to use Microsoft's monthly roll out update system.

Microsoft today issued 10 bulletins covering 45 vulnerabilities, including 5 zero days for this month's Patch Tuesday update, the first using the company's new update methodology.

Five of the updates are rated critical, four important and one moderate and cover several Microsoft products including Windows, IE, Edge and Office. Exploitation of any of the the problems rated critical could result in remote code execution, Microsoft reported. The zero day vulnerabilities are contained in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126 and are being exploited in the wild.

“Overall it's a mid-sized B week security update but is critical due to the presence of the large amount of 0-day patches,” Amol Sarwate, director of vulnerability Labs at Qualys said to SCMagazine.com in an email.

The zero day in MS-118 is CVE-2016-3298, a Microsoft browser information disclosure vulnerability; in MA-119 it is CVE-2016-7189, a scripting engine remote code execution vulnerability; MS16-120 has CVE-2016-3393, a Windows graphics component RCE vulnerability; MS16-121 is CVE-2016-7193, a Microsoft Office memory corruption vulnerability; and the last one is CVE-2016-3298 in bulletin MS16-126, the only zero day that is not rated critical, just moderate. It fixes an Internet Explorer information disclosure vulnerability.

“This month sees another pass for the vast majority of Microsoft server admins, since nearly all of the patches released in October are solidly client-side. The only exception to this slate of desktop patches is MS16-121, which affects Microsoft SharePoint Server, by way of Microsoft Office. Left unpatched, an attacker who has the ability to store documents on SharePoint can upload a specially-crafted RTF file to gain remote code execution (RCE) on the affected server," Tod Beardsley, Rapid7's security research manager, told SCMagazine.com in an email.

Microsoft's October Patch Tuesday update is the first to take place using the company's new “monthly rollup” methodology, a system that was not greeted very warmly by industry execs when it was first announced.

Microsoft said in August that it would institute the “monthly rollup” for its October update that will include security issues and reliability issues in a single update instead of putting out a series of updates from which system administrators can pick and choose. Microsoft believes this will make life easier for admins and make Windows more reliable by eliminating update fragmentation.

“The big news this month is of course Microsoft's move towards monthly rollup patches for all OS going back to Windows 7. Moving forward, Microsoft will be releasing two patches for each platform. The first patch contains only security relevant bug fixes while the other patch, marked as a monthly rollup, may also contain fixes for non-security bugs to improve software reliability,” said Craig Young, Tripwire security researcher said to SCMagazine.com in an email.

Young went on to note that this method can cause security teams problems if one aspect of the update is not compatible with their system. This places them in the difficult position of installing software with a known compatibility issue or not installing the update leaving their system vulnerable. Another potential problem is if the all-in-one updates become large the download itself could hog system resources.

Patch Tuesday: Microsoft patches five zero day vulnerabilities

[harrybarracuda]

If you get hit by Ransomware, then this should be your first port of call.

Remember the golden rule: Don't pay!

‘No More Ransom’ Goes Global: Another 13 Police Forces Join Fight Against Ransomware
More than 2,500 victims were able to decrypt their data, with more than $1 million dollars already saved, thanks to the global initiative

October 17, 2016 06:05 AM Eastern Daylight Time

WOBURN, Mass.--(BUSINESS WIRE)--Just three months after the successful launch of the No More Ransom project, law enforcement agencies from a further 13 countries have signed up to fight ransomware together with the private sector.

The new members are: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom. Additional law enforcement agencies and private sector organizations are expected to join the program in the coming months. This collaboration will result in more free decryption tools becoming available, help for even more victims to decrypt their devices and unlock their information, and damaging the cybercriminals where it hurts the most: their wallets.

No More Ransom was launched on July 25, 2016, by Kaspersky Lab, the Dutch National Police, Europol, and Intel Security, introducing a new level of cooperation between law enforcement and the private sector to fight ransomware1 together. The aim of the online portal (www.nomoreransom.org) is to provide a helpful resource for victims of ransomware. People can find information on what ransomware is, how it works and, most importantly, how to protect themselves.

During the first two months, more than 2,500 people have successfully managed to decrypt their data without having to pay the criminals, using the main decryption tools on the platform (CoinVault, WildFire and Shade). This has deprived cybercriminals of an estimated $1+ million in ransoms.

Currently, five decryption tools are available on the online portal. Since its launch in July, the WildfireDecryptor has been added and two decryption tools updated: RannohDecryptor (updated with a decryptor for the ransomware MarsJoke aka Polyglot) and RakhniDecryptor (updated with Chimera).

“The fight against ransomware succeeds best when law enforcement agencies and the private sector join forces,” said Jornt van der Wiel, Security Researcher at the Global Research and Analysis Team at Kaspersky Lab. “Information-sharing is the key to effective collaboration between the police and security researchers. The easier and faster it happens – the more effective the partnership becomes. Getting more law enforcement agencies from different countries on board will therefore improve operational information-sharing, so that in the end ransomware will be fought more successfully," he added.

“Europol is fully committed to supporting the enlargement of the No More Ransom project within the EU and internationally to respond to ransomware in an effective and concerted manner,” says Steven Wilson, head of the European Cybercrime Centre. “Despite the increasing challenges, the initiative has demonstrated that a coordinated approach by EU law enforcement that includes all relevant partners can result in significant successes in fighting this type of crime, focusing on the important areas of prevention and awareness. I am confident that the online portal will continue to improve in the months to come. All police forces are warmly encouraged to join the fight.”

In order to broaden the audience and improve results even further, the portal is currently being adapted to support different language versions. As a second step, the project will welcome new companies from the private sector as well, after a very high level of interest and countless requests received.

http://www.businesswire.com/news/home/20161017005152/en/%E2%80%98No-Ransom%E2%80%99-Global-13-Police-Forces-Join

The actual site is here:

https://www.nomoreransom.org/

[harrybarracuda]

“Most serious” Linux privilege-escalation bug ever is under active exploit
Lurking in the kernel for nine years, flaw gives untrusted users unfettered root access.

DAN GOODIN - 10/20/2016, 11:20 PM

A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time."

The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."

As their names describe, privilege-escalation or privilege-elevation vulnerabilities allow attackers with only limited access to a targeted computer to gain much greater control. The exploits can be used against Web hosting providers that provide shell access, so that one customer can attack other customers or even service administrators. Privilege-escalation exploits can also be combined with attacks that target other vulnerabilities. A SQL injection weakness in a website, for instance, often allows attackers to run malicious code only as an untrusted user. Combined with an escalation exploit, however, such attacks can often achieve highly coveted root status.

The in-the-wild attacks exploiting this specific vulnerability were found by Linux developer Phil Oester, according to an informational site dedicated to the vulnerability. It says Oester found the exploit using an HTTP packet capture, but the site doesn't elaborate. Attempts to reach Oester for additional details weren't immediately successful. This post will be updated if more information becomes available.

The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available here, here, and here. Using the acronym derived from copy on write, some researchers have dubbed the vulnerability Dirty COW.

Disclosure of the nine-year-old vulnerability came the same week that Google researcher Kees Cook published research showing that the average lifetime of a Linux bug is five years.

"The systems using a Linux kernel are right now running with security flaws," Cook wrote. "Those flaws are just not known to the developers yet, but they’re likely known to attackers."

?Most serious? Linux privilege-escalation bug ever is under active exploit | Ars Technica

[Dragonfly]

probably easy to exploit in a lab, but not in real life, like most exploits actually

[harrybarracuda]

probably easy to exploit in a lab, but not in real life, like most exploits actually

Duh. Try reading more than the headline and trying to be smug.

What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

[harrybarracuda]

You have to wonder about the NSA. This bloke managed to snaffle 50Tb without being caught.

Their network operations centre actually phoned Ed Snowden in Hawaii to ask him if he needed more bandwidth because he was downloading so much data.

Some "security" agency!

The Justice Department alleges Harold Thomas Martin III stole 50TB of data, including materials that were marked "Secret" and "Top Secret."


Back on Aug. 27, National Security Agency contractor Harold Thomas Martin III was arrested on charges of confidential information theft. Initially investigators found six classified documents in Martin's possession, but on Oct. 20, the U.S. Justice Department alleged that Martin's theft of secrets was vastly larger.
"During execution of the search warrants, investigators seized thousands of pages of documents and dozens of computers and other digital storage devices and media containing, conservatively, fifty terabytes of information," the legal filing against Martin states.
The filing notes that many of the seized materials are marked "Secret" and "Top Secret" from the period of 1996 to 2016. During that period, Martin worked first in the U.S. Naval Reserves and thereafter for seven different private government contracting companies.
"Throughout his government assignments, the Defendant violated that trust by engaging in wholesale theft of classified government documents and property—a course of felonious conduct that is breathtaking in its longevity and scale," the court filing states.

[harrybarracuda]

How to scan your IoT devices....

Internet of Things (IoT) Scanner - BullGuard

[harrybarracuda]

I'm with Google here; if it's being exploited they should at least have come up with a workaround or an advisory.

Hackers 'actively exploiting' Microsoft Windows security loophole, Google warns
11:41, 1 NOV 2016 UPDATED 11:42, 1 NOV 2016
BY MARTYN LANDI
The internet search engine giant said it informed Microsoft over flaw 10 days ago, but no fix has yet been released.

Google has exposed a security flaw in Microsoft Windows, warning that it is already being "actively exploited" by hackers.

The internet giant said in a post on its security blog that it informed Microsoft of the weakness in the kernel or core of the Windows operating system on October 21, but a fix is yet to be released.

The bug can be used to escape what are known as security sandboxes, which are designed to isolate malicious code.

However, the declaration has angered Microsoft, which says Google could endanger Windows users by revealing the vulnerability before an update to fix the problem has been issued.

"We believe in co-ordinated vulnerability disclosure, and today's disclosure by Google could put customers at potential risk," the Windows developer said in a statement.

"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.

"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

Google said the flaw is "particularly serious because we know it is being actively exploited" and, as part of its bug disclosure policy on active flaws, waits only seven days before going public with its findings, rather than the normal 60 days. Google said it did this to "protect users".

Google also revealed it had discovered a bug in Adobe's Flash software, although Adobe issued a fix for the problem on October 26.

"We encourage users to verify that auto-updates have already updated Flash - and to manually update if not - and to apply Windows patches from Microsoft when they become available for the Windows vulnerability," Google's Threat Analysis Group said.

Read Microsoft’s snarky response to Google uncovering a Windows flaw
by Sean Keach
36 minutes ago

Microsoft has hit back at Google after the search engine giant unveiled a “critical vulnerability” in Windows.

On October 21, Google warned Microsoft privately about a major security flaw in Windows that was already being exploited by hackers. Then, just 10 days later, Google went live to the public with the flaw. Unfortunately, when Google published its findings in detail, Microsoft still hadn’t fixed the issue, which potentially left Windows users more exposed than they had been before.

“After seven days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” reads a blog post written by Neel Mehta and Billy Leonard, of Google’s Threat Analysis Group. “The vulnerability is particularly serious because we know it is being actively exploited.”

It continued: “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape."

But in a statement to VentureBeat, Microsoft revealed it wasn’t too chuffed with Google going public about the flaw. It reads:

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

So what should you do to stay safe? Well, it appears that the vulnerability can be traced to a flaw in Adobe Flash, which has since been patched by Adobe. But Google still recommends that if you’re using an auto-updater for Flash, you should verify whether or not you have the latest version. And it also recommends that you immediately apply any Windows patches from Microsoft “when they become available for the Windows vulnerability”.


Read more at Read Microsoft?s snarky response to Google uncovering a Windows flaw

Google has revealed that it came across previously undiscovered Flash and Windows vulnerabilities in October, and one of them remains unpatched. The tech titan gave both Adobe and Microsoft a heads-up on October 21st -- Adobe issued a fix on October 26th through a Flash update, but Microsoft hasn't released one for its platform yet. The real problem is, according to Google, that unpatched Windows flaw is "being actively exploited."

Google describes the Windows flaw as follows:

"The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome's sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability."

As VentureBeat mentioned, however, it's a lot easier to come up with a fix for Flash than for a full operating system. Ten days might not have been enough time at all for Microsoft to address the problem. Redmond's statement to VB echoes the one it issued in 2015 when Google exposed another flaw a bit too soon. A spokesperson said Mountain View's move "puts customers at potential risk" since more people now know that there's a new vulnerability they can exploit:

"We believe in coordinated vulnerability disclosure, and today's disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
As for why the big G decided to reveal the flaw even though it could put people at risk, it's all because of the company's existing policy for actively exploited critical vulnerabilities. That policy states that Google will disclose vulnerabilities merely seven days after reporting it to the developer. Microsoft clarified to VB, though, that the Flash bug is needed in order to exploit the Windows flaw. So make sure to update Flash if you haven't done so in the past few weeks while waiting for Microsoft to release a patch.

[harrybarracuda]

Microsoft to patch Windows bug that Google revealed
12 Security | ITworld by Gregg Keize

Microsoft on Tuesday said it would patch a Windows vulnerability next week that Google publicly revealed just 10 days after notifying Microsoft.

Microsoft also identified the attackers, asserting that they were the same who had been accused by authorities of hacking the Democratic National Committee (DNC).

"All versions of Windows are now being tested ... and we plan to release [the patches] publicly on the next Update Tuesday, Nov. 8," wrote Terry Myerson, the head of the Windows and devices group, in a post to a company blog.

Microsoft to patch Windows bug that Google revealed | Computerworld

[Dragonfly]

do they have the patch for WinXP ?

[harrybarracuda]

do they have the patch for WinXP ?

Sure, if you pay.

[harrybarracuda]

November 08, 2016
Chrome exploit allows Svpeng trojan to bypass security measure; patch reportedly coming

The mobile banking trojan Svpeng continues to infect Android devices through malvertising campaigns delivered via the Google AdSense network. But at least experts at Kaspersky Lab now understand how the malicious APK has been able to automatically download itself while bypassing Google Chrome browser permissions.
According to Kaspersky via its Securelist blog, Google has developed a patch in response, but it will not take hold until the next official browser update.
Normally, a suspicious mobile program would trigger a Chrome alert screen that asks the user for permission to download the software, Kaspersky Lab explained in its blog. However, Svpeng's authors programmed the JavaScript malware to download in small, encrypted blocks of 1024 bytes, delivered in piecemeal fashion to the device.
The individual blocks are able to bypass Google Chrome's security measures; consequently the device owner never receives a notification. Once all of the disassembled code has been transferred over, Svpeng rebuilds itself on the device's SD card. This technique does not work on other browsers, Kaspersky noted.
The malware is automatically downloaded in the first place because the malicious code within the ad message emulates a click on the ad as if the user did it himself.
“When this method was used, Chrome's download manager did not perform a check on the file type of saved content,” explained Nikita Buchka, Kaspersky Lab malware analyst, in an email interview with SC Media.
According to a Google spokesperson, the fix is "currently being tested in Chrome 54 and will be live 100 percent in Chrome 55." Additionally, the spokesperson noted that Google's Verify Apps tool, when enabled, provides warnings for Svpeng downloads, even if Chrome doesn't. And while the company doesn't have precise numbers, "the installs are much lower than the figures reported by Kaspersky."
Meanwhile, Google has taken measures to block the ads responsible for spreading the Trojan, noted Kaspersky. Nevertheless, the security company has observed multiple spikes in Svpeng activity of late, detecting infections in 318,000 users over a three-month period starting in August. Attacks peaked in early October, during which time there were as many as roughly 37,000 in one day. Indeed, the malicious ads “can be shown to a huge amount of users in a short span of time,” said Buchka.
Svpeng is designed to steal bank card information via phishing windows; intercept, delete and send text messages; and collect user phone data. Currently, the malware only impacts devices with a Russian-language interface. “However, next time [the culprits] push their ‘adverts' on AdSense they may well choose to attack users in other countries,” warned the Kaspersky blog post.

https://www.scmagazine.com/chrome-ex...OTAyODg1MDUwS0

[harrybarracuda]

This Hack Can Silently Break Into 1 Billion Android App Accounts

Thomas Fox-Brewster , FORBES STAFF

Hong Kong-based researchers have demonstrated an attack on a massive number of Android applications, allowing them remote access to whatever accounts lie within. The apps have been downloaded more than 1 billion times, they said, making the impact widespread and severe.

The trio of researchers – Ronghai Yang, Wing Cheong Lau and Tianyu Liu from the Chinese University of Hong Kong – looked at 600 of the most popular US and Chinese Android apps. For 41 per cent of the 182 that supported single sign-on, they found problems associated with OAuth 2.0 – a standard that allows users to have their Facebook or Google accounts verify their logins to different third-party apps or websites. That means the user doesn’t have to provide additional usernames or passwords.

The vulnerabilities resided in the ways app developers implemented OAuth. Normally, when a user logs in via OAuth, the app checks with the ID provider, like Facebook, Google or Chinese firm Sina, that they have correct authentication details for those sites. If they do, OAuth will have an access token from the backend server of the ID provider issued to the server of the mobile app. This allows the app server to gather a user’s authentication information, verify it and let them login with their Facebook or Google credentials.

But the researchers found that, critically, for masses of Android apps, the developers didn’t properly check the validity of the information sent from the ID provider. For instance, they failed to verify the signature attached to the authentication information retrieved from Facebook and Google. In other cases, the app server would only look at the returned user ID and log the individual in without checking the attached OAuth information to see if they were linked.

For these reasons, it’s possible for a remote hacker to download the vulnerable app, login with their own information and then switch in the username of a target individual, using a server set up to tamper with the data sent from Facebook, Google or any other ID provider. Those usernames could either be guessed or retrieved with some simple Googling. That would grant the snoop total control of the data held within the app. (Further information on how the researchers bypassed additional protections implemented by Facebook are outlined in a paper due to be released tomorrow).

Forbes Welcome

[harrybarracuda]

The Investigatory Powers Bill, or as it has been more aptly named, the Snooper’s Charter, is now as good as passed. It just needs Royal Assent before it becomes law.

So before you Google anything, here's the full list of agencies that can now ask for any UK citizen's browsing history, as outlined in Schedule 4 of the bill, and collected by Chris Yiu:

• Police forces maintained under section 2 of the Police Act 1996
• Metropolitan police force
• City of London police force
• Police Service of Scotland
• Police Service of Northern Ireland
• British Transport Police
• Ministry of Defence Police
• Royal Navy Police
• Royal Military Police
• Royal Air Force Police
• Security Service
• Secret Intelligence Service
• GCHQ
• Ministry of Defence
• Department of Health
• Home Office
• Ministry of Justice
• National Crime Agency
• HM Revenue & Customs
• Department for Transport
• Department for Work and Pensions
• An ambulance trust in England
• Common Services Agency for the Scottish Health Service
• Competition and Markets Authority
• Criminal Cases Review Commission
• Department for Communities in Northern Ireland
• Department for the Economy in Northern Ireland
• Department of Justice in Northern Ireland
• Financial Conduct Authority
• Fire and rescue authorities under the Fire and Rescue Services Act 2004
• Food Standards Agency
• Food Standards Scotland
• Gambling Commission
• Gangmasters and Labour Abuse Authority
• Health and Safety Executive
• Independent Police Complaints Commissioner
• Information Commissioner
• NHS Business Services Authority
• Northern Ireland Ambulance Service Health and Social Care Trust
• Northern Ireland Fire and Rescue Service Board
• Northern Ireland Health and Social Care Regional Business Services Organisation
• Office of Communications
• Office of the Police Ombudsman for Northern Ireland
• Police Investigations and Review Commissioner
• Scottish Ambulance Service Board
• Scottish Criminal Cases Review Commission
• Serious Fraud Office
• Welsh Ambulance Services National Health Service Trust

[harrybarracuda]

Here's how to delete yourself from the internet - at the click of a button
Posted about 6 hours ago by Harriet Marsden in news

In our smartphone-obsessed digital age, we effectively live our entire lives online, which makes us increasingly vulnerable to unseen threats.

Cyber crime, fraud and identity theft are exponentially growing concerns. Our personal lives, locations, and increasingly our passwords are made public online for anyone to find.

If the highly invasive Investigatory Powers Bill (AKA the Snooper's Charter) isn't blocked, then every single digital move you make will be recorded for up to 12 months.

Also, infinite junk mails.

But erasing your digital trace from the World Wide Web can seem overwhelming, especially since each person has on average 1,000,000,000 preferences, passwords, subscriptions and linked accounts. So how would you go about tracking them all down?

In step two Swedish developers, with the easy-assemble, Ikea-style approach.

Wille Dahlbo and Linus Unnebäck have created Deseat.me, which allows you to log in with a Google account, and immediately see which apps and services are linked to it.

The genius part is, instead of having to search all those accounts separately, the site links you directly to the relevant unsubscribe page for that service. It's easy, efficient, and free.

Unfortunately, thusfar the service is only available for accounts and subscriptions linked to Google, which leaves your Hotmail, Yahoo and AOL-related content untouched.

For a similar service, you can use Just Delete Me or Account Killer, both massive directories of links to delete account pages. However, these are only effective when you know the accounts you have.

Here are some other helpful hacks to help ease your digital footprint:

• Change your passwords - billions are now available online, and letter-only English-word passwords are the easiest to crack
  
• Consider using symbols and numbers, as well as different passwords for different accounts
  
• Delete unnecessary social media accounts - this could also benefit mental health and productivity
  
• For any accounts you deem necessary, check privacy settings (also consider whether your Instagram page needs to be public)
  
• Since 2013, every tweet posted from your Twitter account from 2006 onwards is archived, even if you delete your account. Consider converting your privacy settings so only approved followers can read your tweets
  
• ​For undeletable accounts such as Evernote and Pinterest, change your name to a pseudonym, create a random email address to reassign, and delete all the information
  
• Go to 'My Activity' section of your Google account, wipe all search/location history and change account preferences
  
• Similarly, delete all activity from other search engines such as Yahoo and Bing
  
• Consider using a search engine that doesn't track your activity (e.g. DuckDuckGo) rather than Google or Bing
  
• Make sure you click 'unsubscribe' at the bottom of each spam email, before blocking it
  
• Request that search engines delete certain results about you (e.g. via a URL removal tool)
  
• Consider employing the services of a data clearinghouse - although this can be a lengthy and time consuming process
  
• Check with your phone company to make sure your number isn't listed online, and request that they do not post your details in future
  
• Remove yourself from data collection sites such as Spokeo, Whitepages and PeopleFinder - this can be difficult, so consider paying for a service like DeleteMe

[Cujo]

Here's how to delete yourself from the internet - at the click of a button
Posted about 6 hours ago by Harriet Marsden in news

In our smartphone-obsessed digital age, we effectively live our entire lives online, which makes us increasingly vulnerable to unseen threats.

Cyber crime, fraud and identity theft are exponentially growing concerns. Our personal lives, locations, and increasingly our passwords are made public online for anyone to find.

If the highly invasive Investigatory Powers Bill (AKA the Snooper's Charter) isn't blocked, then every single digital move you make will be recorded for up to 12 months.

Also, infinite junk mails.

But erasing your digital trace from the World Wide Web can seem overwhelming, especially since each person has on average 1,000,000,000 preferences, passwords, subscriptions and linked accounts. So how would you go about tracking them all down?

In step two Swedish developers, with the easy-assemble, Ikea-style approach.

Wille Dahlbo and Linus Unnebäck have created Deseat.me, which allows you to log in with a Google account, and immediately see which apps and services are linked to it.

The genius part is, instead of having to search all those accounts separately, the site links you directly to the relevant unsubscribe page for that service. It's easy, efficient, and free.

Unfortunately, thusfar the service is only available for accounts and subscriptions linked to Google, which leaves your Hotmail, Yahoo and AOL-related content untouched.

For a similar service, you can use Just Delete Me or Account Killer, both massive directories of links to delete account pages. However, these are only effective when you know the accounts you have.

Here are some other helpful hacks to help ease your digital footprint:

• Change your passwords - billions are now available online, and letter-only English-word passwords are the easiest to crack
  
• Consider using symbols and numbers, as well as different passwords for different accounts
  
• Delete unnecessary social media accounts - this could also benefit mental health and productivity
  
• For any accounts you deem necessary, check privacy settings (also consider whether your Instagram page needs to be public)
  
• Since 2013, every tweet posted from your Twitter account from 2006 onwards is archived, even if you delete your account. Consider converting your privacy settings so only approved followers can read your tweets
  
• ​For undeletable accounts such as Evernote and Pinterest, change your name to a pseudonym, create a random email address to reassign, and delete all the information
  
• Go to 'My Activity' section of your Google account, wipe all search/location history and change account preferences
  
• Similarly, delete all activity from other search engines such as Yahoo and Bing
  
• Consider using a search engine that doesn't track your activity (e.g. DuckDuckGo) rather than Google or Bing
  
• Make sure you click 'unsubscribe' at the bottom of each spam email, before blocking it
  
• Request that search engines delete certain results about you (e.g. via a URL removal tool)
  
• Consider employing the services of a data clearinghouse - although this can be a lengthy and time consuming process
  
• Check with your phone company to make sure your number isn't listed online, and request that they do not post your details in future
  
• Remove yourself from data collection sites such as Spokeo, Whitepages and PeopleFinder - this can be difficult, so consider paying for a service like DeleteMe

That was a really cuntish unedited difficult to read [at][at][at][at] and paste. Fuck you.
Give us the fucking readers digest version next time.

[harrybarracuda]

That was a really cuntish unedited difficult to read [at][at][at][at] and paste. Fuck you.
Give us the fucking readers digest version next time.

I'm sorry about your pitiful education, but there's no need to moan about it.

Ask your mummy to buy this:

[Dragonfly]

interesting articles harry, for once

glad you are moving away from boring MS security bulletin

[Cujo]

That was a really cuntish unedited difficult to read [at][at][at][at] and paste. Fuck you.
Give us the fucking readers digest version next time.

I'm sorry about your pitiful education, but there's no need to moan about it.

Ask your mummy to buy this:

Yes, having sobered up it's not that difficult.