A $15 Device Can Hack US Presidential Election, Says Symantec

A $15 Device Can Hack US Presidential Election, Says Symantec
During its “Hack the Vote” election simulation, cyber-security firm Symantec has revealed three easy ways an attacker with the right level of intelligence and motivation could impact the US presidential election and it will cost just $15 (roughly Rs. 1,000).

To analyse the ecosystem of an election – from electronic voting machines to data transfers, vote tabulation and broadcasting the results – the company tested the actual direct-recording electronic (DRE) voting machines and other equipment tosimulate a real-world voting system. According to the general process, voters use a chip card to cast their vote. Once someone has voted, the same card is re-used by the next voter. “Just like credit cards, these cards are essentially a computer with its own RAM, CPU and operating system. Which means they can be exploited like any computing device,” the company said in a statement.

“In examining the election process for vulnerabilities, we discovered that there’s an opportunity for a hacker to modify the code put on a voter’s chip card. Anyone who knows how to programme a chip card and purchases a simple $15 Raspberry Pi-like device, could secretly reactivate their voter card while inside the privacy of a voting booth,” added Symantec.

The card can be faked in two different ways – one, reset the card to allow someone to vote multiple times using the same chip card and second, programming the card to allow multiple vote casting. “There was no form of encryption on the internal hard drive of the voting machines we purchased, which were running an outdated operating system to display the ballots and record votes,” Symantec found.
The second method to influence the votes is tampering with tabulation. All the votes are registered in the voting and attackers could compromise the integrity of the voting data by manipulation of cartridges as these storage cartridges function like a USB drive which stores data in plain text with no embedded encryption. Thirdly, by propagating misinformation on social media networks, a hacktivist or attacker could also change voter behaviour.

Symantec said that these vulnerabilities can easily be fixed by installing security software at all points of the process.

 

Verizon Said to Be Pushing for $1 Billion Discount on Yahoo Deal

Verizon Said to Be Pushing for $1 Billion Discount on Yahoo DealVerizon Communications is pressing for a $1 billion (roughly Rs. 6,685 crores) discount off its pending $4.8 billion agreement to buy Yahoo , the New York Post reported, citing sources.

The Yahoo deal team is pushing back hard against any attempts to negotiate the price down, the paper said.

Last month Yahoo said at least 500 million of its accounts were hacked in 2014 and in a statement Verizon said it had been made aware of the breach immediately but had limited information about the matter.

US senators accused Yahoo of “unacceptable” delay in discovering the hack and urged the US Securities and Exchange Commission to investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about the hacking attack.
Verizon and Yahoo both declined to comment.

In July, Verizon agreed to buy Yahoo Inc’s core Internet properties for $4.83 billion in cash, setting the stage for a big new internet push by the telecom giant.

Google to Be Investigated by Indonesia for Possible Unpaid Taxes

Google to Be Investigated by Indonesia for Possible Unpaid Taxes

Indonesia’s tax office will investigate Alphabet Inc’s Google for suspected unpaid taxes in Southeast Asia’s largest economy, a senior finance ministry official said on Thursday.

Muhammad Hanif, head of the specials cases branch in the tax office, said Google’s refusal to cooperate after it was sent a letter in April requesting to be allowed to examine the company’s tax reports had raised suspicions.

“We will elevate this to an investigation because they refused to be examined, and this is definitely an indication of criminal activity,” Hanif told a news conference.

He added that the probe would not be launched until the end of the month at the earliest.

Taj Meadows, head of policy communication for Google in Asia Pacific, declined to comment immediately on the issue, but said in an emailed response that the company would revert as “soon as it can”.

The government had also asked to examine the tax reports of the Indonesian offices of three other US Internet based companies – Yahoo, Twitter and Facebook.

Those three companies have complied, officials said.

Yahoo and Google have formed Indonesian limited liability companies, while Twitter and Facebook operate branches of their Asia-Pacific offices in Indonesia.

The government believes these companies owe income and value added tax on billions of dollars of revenue they generate from advertising in Indonesia, the tax office said.

Hanif said Google’s Indonesian entity was only allocated around 4 percent of the total revenues generated from the country, and it was this amount that was taxed, which he described as too small and “unfair”.

The communications ministry had estimated the value of digital advertising in Indonesia at about $800 million (roughly Rs. 5,361 crores) last year. The ministry said all of it was untaxed.

There was no immediate explanation for the wide discrepancy of the two agencies’ estimates for digital advertising revenue.

Indonesia is facing a sizeable revenue shortfall this year as the resource-rich country can no longer rely on commodity-related income.

In a separate development, the tax office said it is checking whether Ford Motor Co had avoided paying appropriate taxes, after a local newspaper reported that the US car maker modified imported Everest model vehicles sold in Indonesia to pay a lower tax rate.

If the car maker is proven to have caused state losses, it may have to pay back taxes of up to four times the amount it owed, according to Indonesian law.

“We have always strictly complied with all Indonesia government regulations and policy, including all import-related tax and customs requirements, related to each of our Ford vehicles officially marketed and sold in the country,” he said.

Ford announced in January it is closing all operations in Southeast Asia’s biggest economy, where it held a 1 percent market share.

 

Google’s Shop the Look Feature to Show Smarter Shopping Ads in Search Results

Google's Shop the Look Feature to Show Smarter Shopping Ads in Search Results
Google is partnering with sites like LiketoKnow.it, Curalate and Polyvore
Search and purchase outfits and home decor options on the search engine
Users can select one of the looks, which will then show similar products
Google last year added ‘Purchases on Google’ or ‘Buy buttons’, making it easier for mobile users to shop while using Google Search. This was part of the company’s attempt to lure customers to its site rather than shop via Facebook or Pinterest. Google’s aim was to simplify the process of searching and buying products.

 

In an attempt to make mobile shopping even simpler, Google is now testing a new format called ‘Shop the Look’ that lets you search for specific outfits and home décor options, showing pictures and purchase links within ‘Shopping ads’ on the search engine. This means users will not have to switch to a different website to purchase the outfit or home decor.

To get the format going, Google is partnering with sites like LiketoKnow.it, Curalate and yahoo-owned Polyvore which are platforms that allow fashion bloggers to make money from their posts. Essentially, Google will source the content from these sites and pull the photos and affiliate links when a search related to that particular outfit or home décor option is initiated. Users can select one of the looks, which will then show similar products related to the choice.
Where users would previously use social apps like Instagram or Pinterest to follow their favourite fashion blogger and home decorator, they can now find their favourite blogger and purchase related options directly through Google’s engine without the need to use an app. This is what Google hopes to achieve with the ‘Shop the Look’ app.

This new feature could not only be beneficial for Google but also for fashion bloggers who until now have to use platforms like Polyvore to earn. By hopping on to Google’s engine, these bloggers can be discovered by a wider audience. Bloggers and retailers who want to show their products within the Shop the Look experience will need to create a shopping campaign, and optimise their bids for mobile. The ‘Shop the Look’ feature is currently being tested in the US.

Last.fm Credential Leak Reveals the Need for Stronger Passwords

Last.fm Credential Leak Reveals the Need for Stronger Passwords
In today’s internet age, having a strong password is an unsaid prerequisite. And yet, people have a tendency to skip the painful process of coming up with a difficult password for one that is as simple as ‘123456’,’password’ or ‘qwerty’. These are but some of the passwords that have been revealed by a recent leak that dumped around 43 million user data information from music streaming platform Last.fm on the internet.

The data, stolen in 2012, show some of the most popular passwords used by Last.fm users. Last.fm’s leak joins the list of a series of high-profile leaks that include websites like Dropbox and LinkedIn. The data stolen from Last.fm contains emails, registration dates and passwords of users. The passwords were decrypted by LeakedSource and the list shows that weak, easy passwords are the popular choice. Here’s the top 10 most popular passwords according to LeakedSource:

123456
password
lastfm
123456789
qwerty
abc123
abcdefg
12345
1234
music

The list is quite shocking given how people store most of their personal information on the internet. The leak not only tells us that cybercrime is on a rampage, but that there is a need to inform users on the importance of keeping a strong password to protect their information.

Last.fm had around 49 million users at the time of the hack. While the list may seem funny to many, it is however a reality that needs to be addressed. Even though a website like Last.fm isn’t among those that store sensitive user information, there is a tendency among users to reuse the same passwords for other sites. And this in turn leaves all those site vulnerable to hackers. After all, if Facebook’s own CEO Mark Zuckerberg can be hacked then so can anyone.

(Also see: Opera Sync Servers Breached; Synced Passwords May Have Been Compromised)

It is advisable to those who prefer keeping simple, easy-to-remember passwords to change them regularly and not use the same for multiple sites. While you’re at it, deleting accounts that are no longer in use is a good way to prevent your past to from catching up to you. Yet, the best way to stay safe is to put in some time and effort to come up with a long, difficult password. For the internet is dark and full of terrors.

MirrorLink Car Smartphone Network Has Vulnerabilities, Claim Researchers

MirrorLink Car Smartphone Network Has Vulnerabilities, Claim ResearchersMirrorLink Car Smartphone Network Has Vulnerabilities, Claim Researchers
A system of rules that allow vehicles to communicate with smartphones may be vulnerable to hacking, a new study suggests. Many of today’s automobiles leave the factory with secret passengers: prototype software features that are disabled but that can be unlocked by clever drivers, researchers said.

In what is believed to be the first comprehensive security analysis of its kind, researchers at New York University Tandon School of Engineering and George Mason University in the US found vulnerabilities in MirrorLink, a system of rules that allow vehicles to communicate with smartphones.

MirrorLink when unlocked can allow hackers to use a linked smartphone as a stepping stone to control safety-critical components such as the vehicle’s anti-lock braking system.

Damon McCoy, from the NYU Tandon School of Engineering, explained that “tuners” – people or companies which customise automobiles – might unwittingly enable hackers by unlocking insecure features.

“Tuners will root around for these kinds of prototypes, and if these systems are easy to unlock they will do it,” he said. “And there are publically available instructions describing how to unlock MirrorLink. Just one of several instructional videos on YouTube has gotten over 60,000 views,” McCoy added.
“The researchers used such publically available instructions to unlock MirrorLink on the in-vehicle infotainment system in a 2015 vehicle they purchased from eBay for their experiments,” said McCoy.

The automaker and supplier declined to release a security patch – reflecting the fact that they never enabled MirrorLink. McCoy pointed out that this could leave drivers who enable MirrorLink out on a limb.

MirrorLink is the connection protocol and allows the driver or passenger to control phone apps via the car’s dash and steering wheel controls. Created by the Connected Car Consortium, MirrorLink represents 80 per cent of the world’s automakers, is the first and leading industry standard for connecting smartphones to in-vehicle infotainment (IVI) systems.

However, some automakers disable it because they chose a different smartphone-to-IVI standard, or because the version of MirrorLink in their vehicles is a prototype that can be activated later.

YouTubers Are Accusing the Site of Rampant ‘Censorship’

YouTubers Are Accusing the Site of Rampant 'Censorship'YouTube is the third-largest website on Earth, a behemoth viewed by millions each day. It’s also “over” — or on the brink of it — according to a group of outraged creators who claim the company has begun censoring them.

The controversy springs from confusion over YouTube’s long-standing policy of disabling ads on videos that could draw advertiser complaints. Those include videos that are violent, sexually suggestive, or that contain drug use or bad language.

But whereas YouTube has historically hidden demonetization notifications in its video analytics dashboard – meaning that some creators never saw them – the company recently began sending notices by email and alerting them directly on video pages.

In the process, it has caught several YouTubers by surprise: Luke Cutforth, Melanie Murphy, Rob Dyke, MrRepzion and Philip DeFranco, among many others, have all posted videos and tweets accusing YouTube of “censoring” them and threatening their livelihoods. On Thursday, DeFranco’s video on the subject – which has thus far been viewed more than 1.7 million times – sparked the trending Twitter hashtag #YouTubeIsOverParty, a vote of protest by creators and fans alike.

“Without us,” tweeted the beauty vlogger Samantha Ravndahl, “you would have no content to advertise over top of.”
Ironically, the change is part of YouTube’s ongoing efforts to be more transparent in its dealings with creators, and was actually designed to make it easier for YouTubers to appeal bad blacklistings. That process was previously difficult to both find and navigate; now it’s as easy as checking a box that says “Review my video again. I believe it’s advertiser-friendly.”

Still, many YouTubers have raised valid concerns about what YouTube considers “advertiser-friendly” in the first place. It’s hard to quibble with an advertiser who doesn’t want his product placed next to, say, a vaguely rape-y Sam Pepper “prank.” (This isn’t terribly different from conventional media, where companies cherry-pick the shows they advertise with very strategically, and pull those ads posthaste if the show gets mixed up in anything dicey.)

But YouTube also demonetizes videos that concern “controversial or sensitive subjects and events, including subjects related to war, political conflicts, natural disasters and tragedies, even if graphic imagery is not shown.” That could prove a major disincentive for news coverage on the platform, particularly among small creators.

Aaron Wysocki, director of content distribution for the Web news network Young Turks, tweeted Thursday morning that YouTube had disabled ads on nearly 1,000 of the network’s videos over the past three years – including recent news items about Syrian refugees, pharmaceutical research and the Colombian ceasefire.

Meanwhile, DeFranco said YouTube docked a video he posted August 30, which contained some fleeting PG-13 language but otherwise stuck to discussing news stories such as the release of Brock Turner and the Annaliese Nielsen/Lyft incident.

“How the hell am I supposed to talk about news?” he asked.

Will YouTube revise its ad policy in light of all the outrage? Only time will tell.

Myntra Distances Itself From Ad Spoofing Draupadi

Myntra Distances Itself From Ad Spoofing Draupadi

  • Ad spoofing Draupadis disrobing not ours, says Mnytra
  • Myntra attacked on Twitter for ad
  • Ad maker confirms Myntra not involved

The advertisement was an absolute train wreck with #BoycottMyntra trending on Twitter all of Friday morning. The sound of jaws dropping everywhere could be heard virtually. And then hours after the ad went public, fashion site Myntra said “it wasn’t us.” In a statement to NDTV, Myntra said “This creative was done and posted by a third party (ScrollDroll) without our knowledge or approval. They have already pulled down the illustration and apologised publicly for the same. Myntra does not endorse it. We will be pursuing legal action against them for using our brand”

Turns out the ad which was created in February and then appeared again online on Thursday on Lord Krishna’s birthday, spoofing Draupadi’s disrobing in the Mahabharata, was the work of a digital marketing agency. The agency confirmed that Myntra was not to blame.

Follow

ScrollDroll @ScrollDroll

This poster was created by us in Feb. We removed it immediately as we never intended to hurt sentiments (1/2)https://twitter.com/GitaSKapoor/status/768876983505788933 

  • 7676 Retweets

  • 2222 likes

Follow

ScrollDroll @ScrollDroll

We take up the responsibility of this artwork. Myntra is nowhere associated with it directly or indirectly. (2/2)https://twitter.com/GitaSKapoor/status/768876983505788933 

  • 262262 Retweets

  • 9696 likes

Scroll Droll, based in Delhi, does digital marketing and online art work, and published the creative without authorisation from Myntra.

Mytra was bought by Flipkart for $300 million in 2014.

 

EU Approves Data Protection Reform, Boosting Privacy

EU Approves Data Protection Reform, Boosting Privacy

The European Union on Thursday approved new data protection rules to strengthen online privacy, streamline legislation between the 28 member states and boost police and security cooperation.

The rules will for the first time create a strong data protection law for Europe’s 500 million citizens, replacing an outdated patchwork of national rules that only allowed for tiny fines in cases of violation.

There will be “a right to be forgotten” that means consumers can ask for non-essential information to be deleted from web searches, such as those of Google.

The rules also state that individuals must give their “clear and affirmative consent” before private data is processed by companies or governments. This point became important after leaks two years ago showed allegedly widespread US government snooping of European data such as phone calls and emails.

The new rules also allow for the streamlining of data transfers for policing and judicial purposes, helping to improve security in the wake of the November 13 attacks in Paris, which killed 130 people, and last month’s suicide bombings in Brussels, which left 32 dead.

Privacy has become a hot topic amid pressure by companies to get information on consumers, as well as the needs of security services to have as much data as possible on possible suspects involved in extremist attacks.

The European parliament’s president, Martin Schulz, said that “the security of European citizens should never be ensured at the expense of their rights and freedoms.”

But he welcomed the new rules as “crucial steps” in the digital age when the privacy of consumers has come under ever greater threat.

Commercially, there also is a lot a stake and the parliament’s chief negotiator, Jan Philipp Albrecht, has said that firms breaching EU data protection rules could be fined as much as 4 percent of annual turnover, which could amount to billions in dollars.

After four years of fierce political battles between industry and privacy groups, the rules should now become official within a two-year span.

Chrome 50 Released for Windows, OS X, Linux; Retires Legacy Platform Support

Chrome 50 Released for Windows, OS X, Linux; Retires Legacy Platform Support

Google has released Chrome 50 for Windows, OS X, and Linux. The update brings several improvements, as well as bug and security fixes, apart from new features. An update for Android and Chrome OS is also expected to roll out soon.

As announced back in November, Google has retired support for older operating systems, namely – Windows XP, Windows Vista, OS X 10.6, OS X 10.7, and OS X 10.8.

Chrome 50 for Windows, OS X, and Linux updates the Push API to add push notifications payloads, which is meant to make notification deliveries more efficient by sending notification data simultaneously along with the message. Developers will also be able to customise their notifications with buttons and time stamps, while sites can give users the silent, sound, and vibrating notifications. Webmasters will also be informed when a notification is closed by a user, helping sync notifications across devices while also providing analytics data.

Other new features in Chrome 50 include a declarative preload where site developers can let the browser know which resources are needed to properly display a page with the “link rel=’preload'” attribute, significantly reducing page load time. To showcase this, Google has also published a video contrasting the page load times with and without the implementation. Several other developer facing features were also unveiled.

In the meanwhile, Chrome 50 for Android will get a pause and cancel button for downloads. The company also mentioned that Chrome 50 came with 20 security fixes, and highlighted the most important contributions by external researchers. These are, universal XSS in extension bindings; out-of-bounds write in V8; out-of-bounds read in Pdfium JPEG2000 decoding; uninitialized memory read in media; use-after-free related to extensions; Android downloaded file path restriction bypass; address bar spoofing, and a potential leak of sensitive information to malicious extension.