darthcamaro writes: Apparently YouTube isn’t the only site that is draining CPU power with unauthorized cryptocurrency miners. A water utility provider in Europe is literally being drained of its CPU power via an cryptojacking attack that was undetected for three weeks. eWeek reports: “At this point, Radiflow’s (the security firm that discovered the cryptocurrency mining malware) investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Radiflow CTO Yehonatan Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system. The actual system that first got infected is what is known as a Human Machine Interface (HMI) to the SCADA network and it was running the Microsoft Windows XP operating system. Radiflow’s CEO, Ilan Barda, noted that many SCADA environments still have Windows XP systems deployed as operators tend to be very slow to update their operating systems.” Radiflow doesn’t know how much Monero (XMR) cryptocurrency was mined by the malware, but a recent report from Cisco’s Talos research group revealed that some of the top un-authorized cryptocurrency campaigns generate over a million dollars per year. The average system would generate nearly $200, 000 per year. Read more of this story at Slashdot.
Follow this link:
Attackers Drain CPU Power From Water Utility Plant In Cryptojacking Attack
According to multiple reports, Web of Trust, one of the top privacy and security extensions for web browsers with over 140 million downloads, collects and sells some of the data of its users — and it does without properly anonymizing it. Upon learning about this, Mozilla, Google and Opera quickly pulled the extension off their respective extension stores. From a report on The Register: A browser extension which was found to be harvesting users’ browsing histories and selling them to third parties has had its availability pulled from a number of web browsers’ add-on repositories. Last week, an investigative report by journalists at the Hamburg-based German television broadcaster, Norddeutscher Rundfunk (NDR), revealed that Web of Trust Services (WoT) had been harvesting netizens’ web browsing histories through its browser add-on and then selling them to third parties. While WoT claimed it anonymised the data that it sold, the journalists were able to identify more than 50 users from the sample data it acquired from an intermediary. NDR quoted the data protection commissioner of Hamburg, Johannes Caspar, criticising WoT for not adequately establishing whether users consented to the tracking and selling of their browsing data. Those consent issues have resulted in the browser add-on being pulled from the add-on repositories of both Mozilla Firefox and Google Chrome, although those who have already installed the extension in their browsers will need to manually uninstall it to stop their browsing being tracked. Read more of this story at Slashdot. 
Krystalo writes: In addition to the debut of the Firefox Developer Edition, Mozilla today announced new features for its main Firefox browser. The company is launching a new Forget button in Firefox to help keep your browsing history private, adding DuckDuckGo as a search option, and rolling out its directory tiles advertising experiment. Read more of this story at Slashdot. 
itwbennett writes: Assuming that people who use the anonymity network want to also use Facebook, the social network has made its site available on Tor, Facebook software engineer Alec Muffett said in a post on Friday. Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook’s onion address. This was done both for internal technical reasons and as a way for users to verify Facebook’s ownership of the onion address. Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time. Read more of this story at Slashdot. 
jfruh writes The U-blox SARA-U260 chip module is only 16 by 26 millimeters — and it’s just been certified to work with AT&T’s 3G network. While consumers want 4G speeds for their browsing needs, 3G is plenty fast for the innumerable automated systems that will be necessary for the Internet of Things to work. From the article: “The U-blox SARA-U260 module, which measures 16 by 26 millimeters, can handle voice calls. But it’s not designed for really small phones for tiny hands. Instead, it’s meant to carry the small amounts of data that machines are sending to each other over the ‘Internet of things, ‘ where geographic coverage — 3G’s strong suit — matters more than top speed. That means things like electric meters, fitness watches and in-car devices that insurance companies use to monitor policyholders’ driving.” Read more of this story at Slashdot. 
New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving “network injection appliances” installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, “many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites…many of these commonly held beliefs are not necessarily true.” This technique is largely designed for targeted attacks, so it’s likely most of us will be safe for now — but just one more reminder to use https. Read more of this story at Slashdot.