Federal judge rules IP address alone not proof of copyright infringement

January 23, 2014 – 6:06 AM

All too often, we hear about web users who are targeted by litigators and law enforcement agencies, and accused of downloading copyrighted material on the basis of no more evidence than an IP address. But a pivotal ruling by a federal judge may have a significant impact on future lawsuits by copyright holders.

Those accused of infringement are frequently held to account on the basis that their IP address has been identified as having shared a pirated copy of a movie, TV show, game or other material. But as many already realise, an IP address alone does not identify the individual responsible for the download – merely theconnection used for the download.

As TorrentFreak reports, Washington District Judge Robert Lasnik understands this distinction. In considering a claim against hundreds of alleged downloaders of the movie Elf-Man, Judge Lasnik considered the complaint brought forward by the film-makers, who asserted that the defendants – identified via their IP addresses through their internet service providers under subpoena – had either downloaded a copy of the film themselves, or otherwise enabled others to download the files using their internet connection.

But the judge disagreed with that assessment: “[The movie studio] has actually alleged no more than that the named defendants purchased Internet access and failed to ensure that others did not use that access to download copyrighted material,” he stated. “Simply identifying the account holder associated with an IP address tells us very little about who actually downloaded ‘Elf-Man‘ using that IP address.”

Judge Lasnik acknowledged that it was certainly possible that each defendant was indeed the individual responsible for downloading the movie, but added that it was equally plausible that it was somebody else entirely – whether a family member, friend, or a complete stranger using the defendant’s internet connection. The judge consequently granted a motion to dismiss the case.

Source:
http://www.neowin.net/news/federal-judge-rules-ip-address-alone-not-proof-of-copyright-infringement

Chrome exploit can secretly listen to oblivious users

January 23, 2014 – 5:21 AM

Google has been pushing hard to incorporate speech recognition features into Web apps. But a Chrome exploit that can secretly transcribe your conversations unless you’re paying attention probably wasn’t what the company had in mind.

Whenever a website wants to access your microphone, Chrome requires permission. A dialog appears at the top of the browser window, and after you give your OK, an icon appears in the tab area, letting you know the microphone is in use. Close the tab or visit another site, and microphone access is supposed to get cut off.

But as Web developer Tal Ater discovered, malicious sites can use pop-under windows to keep listening even after the user has gone to another site or closed the main browser window. Unlike a regular browser tab, pop-under windows don’t show the recording status icon, and can continue to listen in for as long as the pop-under window stays open. The exploit can also stay dormant until the user utters certain key phrases.

The trick, according to Ater, lies in the use of HTTPS site permissions. Chrome remembers when you’ve given microphone privileges to an HTTPS site, so you don’t have to click an approval button every time you visit. Unfortunately, this also allows the site to open a pop-under window and continue accessing the microphone without express permission.

Granted, the odds of a user enabling speech recognition on a malicious site and then staying oblivious to pop-under windows seems slim. Perhaps that’s why Google doesn’t seem overly concerned with fixing the issue right away. Ater claims that Google is waiting for the W3C standards group to decide the appropriate course of action, four months after the developer brought the issue to Google’s attention.

Source:
http://www.pcadvisor.co.uk/news/security/3498478/chrome-exploit-can-secretly-listen-to-oblivious-users/

“Password” unseated by “123456” on SplashData’s annual “Worst Passwords” list

January 20, 2014 – 2:26 PM

SplashData has announced its annual list of the 25 most common passwords found on the Internet. For the first time since SplashData began compiling its annual list, “password” has lost its title as the most common and therefore Worst Password, and two-time runner-up “123456” took the dubious honor. “Password” fell to #2.

According to SplashData, this year’s list was influenced by the large number of passwords from Adobe users posted online by security consulting firm Stricture Consulting Group following Adobe’s well publicized security breach.

“Seeing passwords like ‘adobe123’ and ‘photoshop’ on this list offers a good reminder not to base your password on the name of the website or application you are accessing,” says Morgan Slain, CEO of SplashData.

SplashData’s list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords. Some other passwords in the Top Ten include “qwerty,” “abc123,” “111111,” and “iloveyou.”

“Another interesting aspect of this year’s list is that more short numerical passwords showed up even though websites are starting to enforce stronger password policies,” Slain said. For example, new to this year’s list are simple and easily guessable passwords like “1234” at #16, “12345” at #20, and “000000” at #25.

SplashData, provider of the SplashID Safe line of password management applications, releases its annual list in an effort to encourage the adoption of stronger passwords. “As always, we hope that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”

Source:
http://splashdata.com/press/worstpasswords2013.htm

Six more US retailers hit by Target-like hacks, security firm says

January 18, 2014 – 8:20 AM

Cybercriminals have stolen payment card data from six more U.S. retailers using similar point-of-sale malware that compromised Target, a computer crime intelligence company said Friday.

The conclusion comes from a study of members-only forums where cybercriminals buy and sell data and malicious software tools, said Dan Clements[cq], president of IntelCrawler, which conducted the analysis.

The retailers have not been publicly named, but IntelCrawler is providing technical information related to the breaches to law enforcement, Clements said in a telephone interview Friday.

IntelCrawler has also identified a 17-year-old Russian who it says created the BlackPOS malware, which intercepts unencrypted payment card data after a card is swiped. Security experts believe malware based on BlackPOS was used against Target.

The teenager, who goes by the online nickname “ree4,” sold more than 40 copies of BlackPOS to cybercriminals in Eastern Europe and elsewhere, according to forum postings IntelCrawler analyzed.

Clements said IntelCrawler is “90 percent” sure of its finding, based on the forum postings and sources it communicated with.

The forum posts indicate the teenager sold the malware for US$2,000 or for a share of the profits that came from monetizing stolen payment card details, Clements said.

Source:
http://www.networkworld.com/news/2014/011814-six-more-us-retailers-hit-277862.html

Neiman Marcus hack reportedly went undetected for months

January 17, 2014 – 5:33 AM

A security breach that yielded Neiman Marcus customers’ payment card information went undetected for nearly six months, according a report in the New York Times.

The upscale department store revealed Friday that hackers may have stolen customers’ credit and debit card information during an intrusion it detected in mid-December, but sources told the Times that the earliest time stamp on the breach was from July. During a call with credit card companies on Monday, the company acknowledged that the intrusion had been fully contained only a day earlier, three days after it was publicly revealed, sources told the newspaper.

Neiman Marcus did not immediately respond to a CNET request for comment but told Reuters that it only learned of the breach last month.

“We did not get our first alert that there might be something wrong until mid-December,” Neiman Marcus spokesperson Ginger Reeder told Reuters. “We didn’t find evidence until January 1.”

The luxury chain has not revealed how many of its customers may be affected by the security breach but said no customer Social Security numbers and birthdates had been compromised. Like a recent high-profile breach at retailer Target, malware installed on in-store point-of-sale terminals appears to have been the avenue for data theft.

“Customers that shopped online do not appear to have been impacted by the criminal cyber-security intrusion,” Neiman Marcus CEO Karen Katz said in a statement to customers. “Your PIN was never at risk because we do not use PIN pads in our stores.”

Source:
http://news.cnet.com/8301-1009_3-57617398-83/neiman-marcus-hack-reportedly-went-undetected-for-months/