Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Wi-Fi Router Attack Only Requires a Single PIN Guess

Soulskill posted 5 hours ago | from the one-two-three-four dept.

Wireless Networking 36

An anonymous reader writes: New research shows that wireless routers are still quite vulnerable to attack if they don't use a good implementation of Wi-Fi Protected Setup. Bad implementations do a poor job of randomizing the key used to authenticate hardware PINs. Because of this, the new attack only requires a single guess at the hardware PIN to collect data necessary to break it. After a few hours to process the data, an attacker can access the router's WPS functionality. Two major router manufacturers are affected: Broadcom, and a manufacturer to be named once they get around to fixing it. "Because many router manufacturers use the reference software implementation as the basis for their customized router software, the problems affected the final products, Bongard said. Broadcom's reference implementation had poor randomization, while the second vendor used a special seed, or nonce, of zero, essentially eliminating any randomness."

Reformatting a Machine 125 Million Miles Away

Soulskill posted 12 hours ago | from the red-rover-red-rover-send-updates-right-over dept.

Mars 121

An anonymous reader writes: NASA's Opportunity rover has been rolling around the surface of Mars for over 10 years. It's still performing scientific observations, but the mission team has been dealing with a problem: the rover keeps rebooting. It's happened a dozen times this month, and the process is a bit more involved than rebooting a typical computer. It takes a day or two to get back into operation every time. To try and fix this, the Opportunity team is planning a tricky operation: reformatting the flash memory from 125 million miles away. "Preparations include downloading to Earth all useful data remaining in the flash memory and switching the rover to an operating mode that does not use flash memory. Also, the team is restructuring the rover's communication sessions to use a slower data rate, which may add resilience in case of a reset during these preparations." The team suspects some of the flash memory cells are simply wearing out. The reformat operation is scheduled for some time in September.

Hal Finney, PGP and Bitcoin Pioneer, Dies At 58

timothy posted yesterday | from the that's-a-legacy dept.

Bitcoin 33

New submitter brokenin2 writes Hal Finney, the number two programmer for PGP and the first person to receive a Bitcoin transaction, has passed away. From the article on Coindesk: "Shortly after collaborating with Nakamoto on early bitcoin code in 2009, Finney announced he was suffering from ALS. Increasing paralysis, which eventually became near-total, forced him to retire from work in early 2011."

Google Introduces HTML 5.1 Tag To Chrome

timothy posted yesterday | from the tagging-wars-ensue dept.

Chrome 76

darthcamaro (735685) writes "Forget about HTML5, that's already passe — Google is already moving on to HTML5.1 support for the upcoming Chrome 38 release. Currently only a beta, one of the biggest things that web developers will notice is the use of the new "picture" tag which is a container for multiple image sizes/formats. Bottom line is it's a new way to think about the "IMG" tag that has existed since the first HTML spec."

Mozilla To Support Public Key Pinning In Firefox 32

Soulskill posted yesterday | from the pin-the-key-on-the-fox dept.

Firefox 85

Trailrunner7 writes: Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla's own sites, all of the sites pinned in Google Chrome and several Twitter sites. Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user's browser encounters a site that's presenting a certificate that isn't included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.

IEEE Guides Software Architects Toward Secure Design

Soulskill posted yesterday | from the an-ounce-of-prevention dept.

Security 49

msm1267 writes: The IEEE's Center for Secure Design debuted its first report this week, a guidance for software architects called "Avoiding the Top 10 Software Security Design Flaws." Developing guidance for architects rather than developers was a conscious effort the group made in order to steer the conversation around software security away from exclusively talking about finding bugs toward design-level failures that lead to exploitable security vulnerabilities. The document spells out the 10 common design flaws in a straightforward manner, each with a lengthy explainer of inherent weaknesses in each area and how software designers and architects should take these potential pitfalls into consideration.

Microsoft Releases Replacement Patch With Two Known Bugs

samzenpus posted 2 days ago | from the second-time-is-usually-a-charm dept.

Microsoft 136

snydeq writes Microsoft has re-released its botched MS14-045/KB 2982791 'Blue Screen 0x50' patch, only to introduce more problems, InfoWorld's Woody Leonhard reports. "Even by Microsoft standards, this month's botched Black Tuesday Windows 7/8/8.1 MS14-045 patch hit a new low. The original patch (KB 2982791) is now officially 'expired' and a completely different patch (KB 2993651) offered in its stead; there are barely documented revelations of new problems with old patches; patches that have disappeared; a 'strong' recommendation to manually uninstall a patch that went out via Automatic Update for several days; and an infuriating official explanation that raises serious doubts about Microsoft's ability to support Windows 9's expected rapid update pace."

The Executive Order That Led To Mass Spying, As Told By NSA Alumni

samzenpus posted 2 days ago | from the I-see-you dept.

United States 180

An anonymous reader writes with this Ars piece about the executive order that is the legal basis for the U.S. government's mass spying on citizens. One thing sits at the heart of what many consider a surveillance state within the US today. The problem does not begin with political systems that discourage transparency or technologies that can intercept everyday communications without notice. Like everything else in Washington, there's a legal basis for what many believe is extreme government overreach—in this case, it's Executive Order 12333, issued in 1981. “12333 is used to target foreigners abroad, and collection happens outside the US," whistleblower John Tye, a former State Department official, told Ars recently. "My complaint is not that they’re using it to target Americans, my complaint is that the volume of incidental collection on US persons is unconstitutional.” The document, known in government circles as "twelve triple three," gives incredible leeway to intelligence agencies sweeping up vast quantities of Americans' data. That data ranges from e-mail content to Facebook messages, from Skype chats to practically anything that passes over the Internet on an incidental basis. In other words, EO 12333 protects the tangential collection of Americans' data even when Americans aren't specifically targeted—otherwise it would be forbidden under the Foreign Intelligence Surveillance Act (FISA) of 1978.

PHP 5.6.0 Released

timothy posted 2 days ago | from the still-hard-to-pronounce dept.

PHP 114

An anonymous reader writes The PHP team has announced the release of PHP 5.6.0. New features include constant scalar expressions, exponentiation using the ** operator, function and constant importing with the use keyword, support for file uploads larger than 2 GB, and phpdbg as an interactive integrated debugger SAPI. The team also notes important changes affecting compatibility. For example: "Array keys won't be overwritten when defining an array as a property of a class via an array literal," json_decode() is now more strict at parsing JSON syntax, and GMP resources are now objects. Here is the migration guide, the full change log, and the downloads page.

FBI Investigates 'Sophisticated' Cyber Attack On JP Morgan, 4 More US Banks

timothy posted 2 days ago | from the could-have-been-motivated-by-love dept.

Security 97

Bruce66423 writes with news of an electronic attack believed to affect at least five U.S. banking institutions this month, including JP Morgan, now being investigated by the FBI. According to the Independent, The attack on JP Morgan reportedly resulted in the loss of “gigabytes of sensitive data” that could have involved customer and employee information. It is said to have been of a level of sophistication beyond ordinary criminals, leading to speculation of a state link. The FBI is thought to be investigating whether there is a connection to Russia. American-Russian relations continue to be fraught amid the crisis in Ukraine, with sanctions ramped up. Bruce66423 asks "The quality of the attack, which appears to have led to 'gigabytes' of data being lost, is raising the prospect of a state being the source. The present culprit suggested is Russia... why the assumption it's not China — just because China isn't invading the Ukraine at the moment?" News of the attack is also at the New York Times, which notes Earlier this year, iSight Partners, a security firm in Dallas that provides intelligence on online threats, warned companies that they should be prepared for cyberattacks from Russia in retaliation for Western economic sanctions. But Adam Meyers, the head of threat intelligence at CrowdStrike, a security firm that works with banks, said that it would be “premature” to suggest the attacks were motivated by sanctions.

Netflix Open Sources Internal Threat Monitoring Tools

timothy posted 3 days ago | from the how-they-watch-you-watching-them dept.

Open Source 20

alphadogg (971356) writes Netflix has released three internal tools it uses to catch hints on the Web that hackers might target its services. "Many security teams need to stay on the lookout for Internet-based discussions, posts and other bits that may be of impact to the organizations they are protecting," wrote Andy Hoernecke and Scott Behrens of Netflix's Cloud Security Team. One of the tools, called Scumblr, can be used to create custom searches of Google sites, Twitter and Facebook for users or keywords.

Chromium 37 Launches With Major Security Fixes, 64-bit Windows Support

Unknown Lamer posted 3 days ago | from the almost-makes-up-for-<dialog> dept.

Chromium 112

An anonymous reader writes Google has released Chrome/Chromium version 37 for Windows, Mac, and Linux. Among the changes are better-looking fonts on Windows and a revamped password manager. There are 50 security fixes, including several to patch a sandbox escaping vulnerability. The release also brings stable 64-bit Windows support which ...offers many benefits for speed, stability and security. Our measurements have shown that the native 64-bit version of Chrome has improved speed on many of our graphics and media benchmarks. For example, the VP9 codec that’s used in High Definition YouTube videos shows a 15% improvement in decoding performance. Stability measurements from people opted into our Canary, Dev and Beta 64-bit channels confirm that 64-bit rendering engines are almost twice as stable as 32-bit engines when handling typical web content. Finally, on 64-bit, our defense in depth security mitigations such as Partition Alloc are able to far more effectively defend against vulnerabilities that rely on controlling the memory layout of objects. The full changelog.

UK Prisons Ministry Fined For Lack of Encryption At Prisons

Unknown Lamer posted 4 days ago | from the not-like-prisoners-are-people-anyway dept.

United Kingdom 74

Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed. To make matters worse, one of the unencrypted backup hard drives walked away.

Project Zero Exploits 'Unexploitable' Glibc Bug

Unknown Lamer posted 4 days ago | from the never-say-never dept.

Security 98

NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed. They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.

VMware Unveils Workplace Suite and NVIDIA Partnership For Chromebooks

samzenpus posted 4 days ago | from the check-it-out dept.

Chrome 59

Gamoid writes At VMworld today, VMware introduced the Workplace Suite, a platform for securely delivering applications and content across desktops and mobile devices from the cloud. The really cool part, though, is a partnership with Google and NVIDIA to deliver even graphics-intensive Windows applications on a Chromebook. From the article: "The new VMware Workplace Suite takes advantage of three existing VMware products: Tools for application, device, and content management as well as secure cloud file storage that comes from the January acquisition of enterprise mobile management company AirWatch; VMware Horizon for desktop-as-a-service; and brand-new acquisition CloudVolumes for app delivery. "

TechCentral Scams Call Center Scammers

timothy posted 4 days ago | from the my-personal-record-is-about-20-minutes dept.

Spam 247

An anonymous reader writes "At TechCentral, we get on average called at least once a week — sometimes far more often — by a friendly sounding Indian national warning us that our Windows computer is infected with a virus. The call, which originates from a call centre, follows exactly the same script every time. Usually we shrug them off and put the phone down, but this week we thought we'd humour them to find out how they operate. As this week's call came in, the first thing the "operator" at the other end of the line tried to establish was who was owner of the Windows computer in the household. I'd taken the call. It was time to have some fun. I told the scammer that I was the PC owner. He proceeded to introduce himself as "John Connor." I laughed quietly as I imagined Arnold Schwarzenegger's Terminator hunting down this scamster in the streets of Calcutta. Perhaps he should have come up with a more convincing name."

New Windows Coming In Late September -- But Which One?

timothy posted 4 days ago | from the double-insulated dept.

Operating Systems 251

snydeq (1272828) writes "Nobody seems to know for sure whether 'Threshold' and 'Windows 9' will be one and the same or separate operating systems, reports Woody Leonhard in his roundup of insights on Microsoft's forthcoming OS plans, expected September 30. 'Many people think the terms are synonymous, but longtime Chinese leaker Faikee continues to maintain that they are two separate products, possibly headed in different directions. Neowin Senior Editor and Columnist Brad Sams appears to have access to the most recent test builds, possibly on a daily basis. He doesn't talk about details, but the items he's let drop on the Neowin forum leave an interesting trail of crumbs.' Either way, the next iteration of Windows will have a lot to say about the kind of Microsoft to expect as Satya Nadella cements his leadership over the flagship OS."

$75K Prosthetic Arm Is Bricked When Paired iPod Is Stolen

timothy posted 4 days ago | from the what-about-backups dept.

Bug 194

kdataman writes U.S. Army Staff Sgt. Ben Eberle, who lost an arm and both legs in Afghanistan, had his Ipod Touch stolen on Friday. This particular Ipod Touch has an app on it that controls his $75,000 prosthetic arm. The robbery bricked his prosthesis: "That is because Eberle's prosthetic hand is programmed to only work with the stolen iPod, and vice versa. Now that the iPod is gone, he said he has to get a new hand and get it reprogrammed with his prosthesis." I see three possibilities: 1) The article is wrong, possibly to guilt the thief into returning the Ipod. 2) This is an incredibly bad design by Touch Bionics. Why would you make a $70,000 piece of equipment permanently dependent on a specific Ipod Touch? Ipods do fail or go missing. 3) This is an intentionally bad design to generate revenue. Maybe GM should do this with car keys? "Oops, lost the keys to the corvette. Better buy a new one."

Securing the US Electrical Grid

samzenpus posted 5 days ago | from the locking-things-down dept.

Security 117

An anonymous reader writes The Center for the Study of the Presidency & Congress (CSPC) launched a project to bring together representatives from the Executive Branch, Congress, and the private sector to discuss how to better secure the U.S. electric grid from the threats of cyberattack, physical attack, electromagnetic pulse, and inclement weather. In this interview with Help Net Security, Dan Mahaffee, the Director of Policy at CSPC, discusses critical security challenges.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>