Tech News

The European Union has decided to raise prison sentences for people found guilty of hacking, data breaches, and cyberattacks. Lawmakers from the 28 nations in the EU decided Thursday, in a 541-91 vote, to assign harsher penalties for various cybercrimes, according to Reuters. Included in the increased prison sentences are at least two years for illegally accessing information systems and at least five years for cyberattacks against infrastructure, such as power plants, water systems, and transportation networks. The lawmakers agreed that the most egregious crimes are those that breach the countries\' infrastructure networks and the theft of sensitive data from computer systems. Other cybercrimes that got penalty increases were the illegal interception of communications or the creation of tools for this purpose. Additionally, any company that uses these tools or hires hackers to steal data will also be liable under the new laws. Currently, the penalties for cybercrime vary from country to country, but most sentences top out at five years, according to Reuters. Now each country has two years to put the new laws into place.

Android flaw leaves 99% of devices open to attacks, details to be revealed at BlackHat Mobile security company Bluebox claims to have discovered a flaw in Android that could leave any device released in the last four years vulnerable to attacks. The method demonstrated allowed modifying an app’s code without affecting its cryptographic signature, inserting malicious code completely unnoticed, leading to anything from data theft to creating botnets. The implications are huge, the researchers say. Although specifics were left under wraps, the core issue involves discrepancies in how Android applications are verified and installed. As Bluebox explains, all Android apps contain cryptographic signatures to verify their authenticity. But through the use of some sort of \"master key\", malicious coders are able trick Android into believing an app is unchanged even if its APK code has been modified. The vulnerability has reportedly been around since the release of Android 1.6 in 2009 and Google was notified about it in February. But due to the way Android updates work, it\'s up to manufacturers to produce and release firmware updates for their specific hardware, and so far only the Galaxy S 4 has been patched.

After years of benefiting from the bug bounty programs of other companies, Microsoft is finally stepping into the bug bounty business itself by offering three new programs to encourage and compensate researchers who find vulnerabilities in the company\'s software. The programs include a $100,000 payout for mitigation-bypass vulnerabilities uncovered in its software products, a $50,000 payout on top of this for a solution that will fix the vulnerability, and $11,000 for any bugs found in the preview release of its upcoming Internet Explorer 11 browser software.

Microsoft today announced that, in coordination with the FBI, it has disrupted more than 1,000 botnets used to steal people\'s banking information and identities. The malware, dubbed Citadel, resulted in losses of more than $500 million and affected more than 5 million people. Most were located in the U.S., Europe, Hong Kong, Singapore, India, and Australia, but Microsoft has found evidence of Citadel in more than 90 countries. Citadel installed key-logging software onto a computer, which tracked everything a person typed. That allowed the scammers to steal passwords and gain direct access to a PC user\'s bank account. \"The harm done by Citadel shows the threat that botnets, malicious software, and piracy pose to individuals and businesses around the world,\" Brad Smith, Microsoft general counsel, said in a statement. \"Today\'s coordinated action between the private sector and law enforcement demonstrates the power of combined legal and technical expertise and we\'re going to continue to work together to help put these cybercriminals out of business.\"

Hackers crack 16-character passwords in less than an HOUR: A team of hackers has managed to crack more than 14,800 supposedly random passwords - from a list of 16,449 - as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including \'qeadzcwrsfxv1331\'. The hackers, working for the website Ars Technica, have now published how they cracked the codes and the traditional methods used to create an anatomy of a hack. Rather than repeatedly entering passwords into a website, the hackers used a list of hashed passwords they managed to get online. Hashing takes each user\'s plain text password and runs it through a one-way mathematical function. This creates a unique string of numbers and letters called the hash. Hashing makes it difficult for an attacker to move from hash back to password and it lets sites keep a list of hashes, rather than storing them insecurely as plain-text passwords.

The Federal Bureau of Investigation has a new plan to intercept Internet messages, calls and video chats. Instead of requiring companies like Skype and Google to build surveillance capabilities into their services as it suggested in 2010, the F.B.I. now proposes fining companies that fail to comply with court-ordered wiretaps. The new approach has met less opposition from other agencies, like the Commerce Department, than the earlier plan, which went nowhere because some officials worried that it would hurt innovation by imposing expensive and technically difficult requirements on start-up Internet-based communication services. Fines, some officials believe, would be less of a burden on new businesses because they might not have to worry about developing the ability to conduct wiretaps right away. The White House is evaluating the plan for submission to Congress. The F.B.I. has long complained that it is becoming ever harder to carry out court-approved, real-time eavesdropping on criminal suspects since people are communicating without picking up a phone. The agency argues that the monitoring of Internet-based services does not expand government surveillance, but merely updates the current wiretap law. Judges would still have to authorize wiretaps, and would impose the fines if the services did not comply.