Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Behind Biggest-Ever Password Theft Begin Attacks

Soulskill posted 2 hours ago | from the 123456-letmein-iloveyou-trustno1 dept.

Security 32

An anonymous reader writes "Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports the hackers have begun using the list to try and access accounts. "Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts." They report that most login attempts are failing, but some are succeeding. Now is a good time to check that none of your important accounts share passwords."

Tox, a Skype Replacement Built On 'Privacy First'

Soulskill posted 3 hours ago | from the pet-rock-also-built-on-privacy-first dept.

Communications 79

An anonymous reader writes: Rumors of back door access to Skype have plagued the communication software for the better part of a decade. Even if it's not true, Skype is owned by Microsoft, which is beholden to data requests from law enforcement. Because of these issues, a group of developers started work on Tox, which aims to rebuild the functionality of Skype with an emphasis on privacy. "The main thing the Tox team is trying to do, besides provide encryption, is create a tool that requires no central servers whatsoever—not even ones that you would host yourself. It relies on the same technology that BitTorrent uses to provide direct connections between users, so there's no central hub to snoop on or take down."

New Nigerian ID Card Includes Prepay MasterCard Wallet

samzenpus posted 8 hours ago | from the identification-and-credit-report-please dept.

Government 49

First time accepted submitter Adam Oxford writes Nigeria's National Identity Management System — which aims to bring together citizen information databases as diverse as driving licenses and tax returns — was introduced last week and includes a prepay MasterCard wallet. Civil liberties groups are naturally wary about the project, but proponents see it as a way to get financial services to the masses. From the article: "The director general of the commission which will implement NIMS, Chris 'E Onyemenam, said at the launch that the card will eventually be used for border control as well. 'There are many use cases for the card, including the potential to use it as an international travel document,' Onyemenam said. 'NIMC is focused on inclusive citizenship, more effective governance, and the creation of a cashless economy, all of which will stimulate economic growth, investment and trade.'"

Reported iCloud Hack Leaks Hundreds of Private Celebrity Photos

samzenpus posted 9 hours ago | from the gates-are-open dept.

Security 226

swinferno writes with news about the leak of hundreds of private celebrity photos over the weekend. Hundreds of revealing pictures of female celebrities were leaked overnight after being stolen from their private collections. Hunger Games actress Jennifer Lawrence, Kirsten Dunst, and pop star Ariana Grande were among the celebrities apparently shown in the pictures, which were posted on infamous web forum 4chan. It's unclear how the images were obtained, but anonymous 4chan users said that they were taken from celebrities' iCloud accounts. The accounts are designed to allow iPhone, iPad, and Mac users to synchronize images, settings, calendar information, and other data between devices, but the service has been criticized for being unreliable and confusing. Earlier this year, Jennifer Lawrence herself complained about the service in an interview with MTV.

Hacker Disrupts New Zealand Election Campaign

samzenpus posted yesterday | from the throwing-a-wrench-in-the-works dept.

Government 66

An anonymous reader writes New Zealand is facing its weirdest election ever with a hacker calling himself "Rawshark" progressively dumping emails hacked from a controversial blogger. This weekend, revelations forced the resignation of one Government minister and nobody knows what will drop next. Emails revealed that the blogger, called "Whale Oil", was in contact with both a government minister in charge of New Zealand's white collar crime investigations unit and with a PR man acting for a founder of a failed finance company then under investigation.

Wi-Fi Router Attack Only Requires a Single PIN Guess

Soulskill posted 2 days ago | from the one-two-three-four dept.

Wireless Networking 81

An anonymous reader writes: New research shows that wireless routers are still quite vulnerable to attack if they don't use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router's WPS functionality. Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it. "Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness."

Reformatting a Machine 125 Million Miles Away

Soulskill posted 2 days ago | from the red-rover-red-rover-send-updates-right-over dept.

Mars 151

An anonymous reader writes: NASA's Opportunity rover has been rolling around the surface of Mars for over 10 years. It's still performing scientific observations, but the mission team has been dealing with a problem: the rover keeps rebooting. It's happened a dozen times this month, and the process is a bit more involved than rebooting a typical computer. It takes a day or two to get back into operation every time. To try and fix this, the Opportunity team is planning a tricky operation: reformatting the flash memory from 125 million miles away. "Preparations include downloading to Earth all useful data remaining in the flash memory and switching the rover to an operating mode that does not use flash memory. Also, the team is restructuring the rover's communication sessions to use a slower data rate, which may add resilience in case of a reset during these preparations." The team suspects some of the flash memory cells are simply wearing out. The reformat operation is scheduled for some time in September.

Hal Finney, PGP and Bitcoin Pioneer, Dies At 58

timothy posted 2 days ago | from the that's-a-legacy dept.

Bitcoin 38

New submitter brokenin2 writes Hal Finney, the number two programmer for PGP and the first person to receive a Bitcoin transaction, has passed away. From the article on Coindesk: "Shortly after collaborating with Nakamoto on early bitcoin code in 2009, Finney announced he was suffering from ALS. Increasing paralysis, which eventually became near-total, forced him to retire from work in early 2011."

Google Introduces HTML 5.1 Tag To Chrome

timothy posted 2 days ago | from the tagging-wars-ensue dept.

Chrome 87

darthcamaro (735685) writes "Forget about HTML5, that's already passe — Google is already moving on to HTML5.1 support for the upcoming Chrome 38 release. Currently only a beta, one of the biggest things that web developers will notice is the use of the new "picture" tag which is a container for multiple image sizes/formats. Bottom line is it's a new way to think about the "IMG" tag that has existed since the first HTML spec."

Mozilla To Support Public Key Pinning In Firefox 32

Soulskill posted 3 days ago | from the pin-the-key-on-the-fox dept.

Firefox 88

Trailrunner7 writes: Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla's own sites, all of the sites pinned in Google Chrome and several Twitter sites. Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user's browser encounters a site that's presenting a certificate that isn't included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.

IEEE Guides Software Architects Toward Secure Design

Soulskill posted 3 days ago | from the an-ounce-of-prevention dept.

Security 49

msm1267 writes: The IEEE's Center for Secure Design debuted its first report this week, a guidance for software architects called "Avoiding the Top 10 Software Security Design Flaws." Developing guidance for architects rather than developers was a conscious effort the group made in order to steer the conversation around software security away from exclusively talking about finding bugs toward design-level failures that lead to exploitable security vulnerabilities. The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration.

Microsoft Releases Replacement Patch With Two Known Bugs

samzenpus posted 3 days ago | from the second-time-is-usually-a-charm dept.

Microsoft 138

snydeq writes Microsoft has re-released its botched MS14-045/KB 2982791 'Blue Screen 0x50' patch, only to introduce more problems, InfoWorld's Woody Leonhard reports. "Even by Microsoft standards, this month's botched Black Tuesday Windows 7/8/8.1 MS14-045 patch hit a new low. The original patch (KB 2982791) is now officially 'expired' and a completely different patch (KB 2993651) offered in its stead; there are barely documented revelations of new problems with old patches; patches that have disappeared; a 'strong' recommendation to manually uninstall a patch that went out via Automatic Update for several days; and an infuriating official explanation that raises serious doubts about Microsoft's ability to support Windows 9's expected rapid update pace."

The Executive Order That Led To Mass Spying, As Told By NSA Alumni

samzenpus posted 4 days ago | from the I-see-you dept.

United States 180

An anonymous reader writes with this Ars piece about the executive order that is the legal basis for the U.S. government's mass spying on citizens. One thing sits at the heart of what many consider a surveillance state within the US today. The problem does not begin with political systems that discourage transparency or technologies that can intercept everyday communications without notice. Like everything else in Washington, there's a legal basis for what many believe is extreme government overreach—in this case, it's Executive Order 12333, issued in 1981. “12333 is used to target foreigners abroad, and collection happens outside the US," whistleblower John Tye, a former State Department official, told Ars recently. "My complaint is not that they’re using it to target Americans, my complaint is that the volume of incidental collection on US persons is unconstitutional.” The document, known in government circles as "twelve triple three," gives incredible leeway to intelligence agencies sweeping up vast quantities of Americans' data. That data ranges from e-mail content to Facebook messages, from Skype chats to practically anything that passes over the Internet on an incidental basis. In other words, EO 12333 protects the tangential collection of Americans' data even when Americans aren't specifically targeted—otherwise it would be forbidden under the Foreign Intelligence Surveillance Act (FISA) of 1978.

PHP 5.6.0 Released

timothy posted 4 days ago | from the still-hard-to-pronounce dept.

PHP 115

An anonymous reader writes The PHP team has announced the release of PHP 5.6.0. New features include constant scalar expressions, exponentiation using the ** operator, function and constant importing with the use keyword, support for file uploads larger than 2 GB, and phpdbg as an interactive integrated debugger SAPI. The team also notes important changes affecting compatibility. For example: "Array keys won't be overwritten when defining an array as a property of a class via an array literal," json_decode() is now more strict at parsing JSON syntax, and GMP resources are now objects. Here is the migration guide, the full change log, and the downloads page.

FBI Investigates 'Sophisticated' Cyber Attack On JP Morgan, 4 More US Banks

timothy posted 4 days ago | from the could-have-been-motivated-by-love dept.

Security 98

Bruce66423 writes with news of an electronic attack believed to affect at least five U.S. banking institutions this month, including JP Morgan, now being investigated by the FBI. According to the Independent, The attack on JP Morgan reportedly resulted in the loss of “gigabytes of sensitive data” that could have involved customer and employee information. It is said to have been of a level of sophistication beyond ordinary criminals, leading to speculation of a state link. The FBI is thought to be investigating whether there is a connection to Russia. American-Russian relations continue to be fraught amid the crisis in Ukraine, with sanctions ramped up. Bruce66423 asks "The quality of the attack, which appears to have led to 'gigabytes' of data being lost, is raising the prospect of a state being the source. The present culprit suggested is Russia... why the assumption it's not China — just because China isn't invading the Ukraine at the moment?" News of the attack is also at the New York Times, which notes Earlier this year, iSight Partners, a security firm in Dallas that provides intelligence on online threats, warned companies that they should be prepared for cyberattacks from Russia in retaliation for Western economic sanctions. But Adam Meyers, the head of threat intelligence at CrowdStrike, a security firm that works with banks, said that it would be “premature” to suggest the attacks were motivated by sanctions.

Netflix Open Sources Internal Threat Monitoring Tools

timothy posted 5 days ago | from the how-they-watch-you-watching-them dept.

Open Source 20

alphadogg (971356) writes Netflix has released three internal tools it uses to catch hints on the Web that hackers might target its services. "Many security teams need to stay on the lookout for Internet-based discussions, posts and other bits that may be of impact to the organizations they are protecting," wrote Andy Hoernecke and Scott Behrens of Netflix's Cloud Security Team. One of the tools, called Scumblr, can be used to create custom searches of Google sites, Twitter and Facebook for users or keywords.

Chromium 37 Launches With Major Security Fixes, 64-bit Windows Support

Unknown Lamer posted 5 days ago | from the almost-makes-up-for-<dialog> dept.

Chromium 113

An anonymous reader writes Google has released Chrome/Chromium version 37 for Windows, Mac, and Linux. Among the changes are better-looking fonts on Windows and a revamped password manager. There are 50 security fixes, including several to patch a sandbox escaping vulnerability. The release also brings stable 64-bit Windows support which ...offers many benefits for speed, stability and security. Our measurements have shown that the native 64-bit version of Chrome has improved speed on many of our graphics and media benchmarks. For example, the VP9 codec that’s used in High Definition YouTube videos shows a 15% improvement in decoding performance. Stability measurements from people opted into our Canary, Dev and Beta 64-bit channels confirm that 64-bit rendering engines are almost twice as stable as 32-bit engines when handling typical web content. Finally, on 64-bit, our defense in depth security mitigations such as Partition Alloc are able to far more effectively defend against vulnerabilities that rely on controlling the memory layout of objects. The full changelog.

UK Prisons Ministry Fined For Lack of Encryption At Prisons

Unknown Lamer posted 5 days ago | from the not-like-prisoners-are-people-anyway dept.

United Kingdom 74

Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed. To make matters worse, one of the unencrypted backup hard drives walked away.

Project Zero Exploits 'Unexploitable' Glibc Bug

Unknown Lamer posted about a week ago | from the never-say-never dept.

Security 98

NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed. They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.

VMware Unveils Workplace Suite and NVIDIA Partnership For Chromebooks

samzenpus posted about a week ago | from the check-it-out dept.

Chrome 60

Gamoid writes At VMworld today, VMware introduced the Workplace Suite, a platform for securely delivering applications and content across desktops and mobile devices from the cloud. The really cool part, though, is a partnership with Google and NVIDIA to deliver even graphics-intensive Windows applications on a Chromebook. From the article: "The new VMware Workplace Suite takes advantage of three existing VMware products: Tools for application, device, and content management as well as secure cloud file storage that comes from the January acquisition of enterprise mobile management company AirWatch; VMware Horizon for desktop-as-a-service; and brand-new acquisition CloudVolumes for app delivery. "

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>