Beta
×

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

US Gov't Issues Alert About iOS "Masque Attack" Threat

timothy posted yesterday | from the that'll-teach-'em dept.

IOS 86

alphadogg writes Three days after security company FireEye warned of an iPhone/iPad threat dubbed "Masque Attack", the U.S. government has issued a warning of its own about this new risk by malicious third-party apps to Apple iOS devices. US-CERT warned: "This attack works by luring users to install an app from a source other than the iOS App Store or their organizations' provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link." Revelations of Masque came on the heels of a related exploit (that also threatens Macs) called WireLurker.

Ask Slashdot: Getting Around Terrible Geolocation?

timothy posted yesterday | from the ok-but-does-this-get-you-irish-citizenship? dept.

Network 96

First time accepted submitter AvitarX writes W3C has the IP address where I work as showing up in Ireland (we are in the USA). This is a nuisance for a lot of reasons (many dates now display in European format, prices are listed in euros, search results redirect to google.ie). Some of these issues can be worked around, but it's frustrating. I have searched as best as I can, and only can find information on the geolocation API in HTML5. The office is on a static IP address from Comcast. When I visit whatismyipaddress.com all info is correct except for W3C's result. I have submitted that it is inaccurate; is there anything else I can do? Googling, I have only managed to find usage examples for web developers/designers.

Internet Voting Hack Alters PDF Ballots In Transmission

timothy posted yesterday | from the don't-let-the-nice-man-borrow-your-router dept.

Government 131

msm1267 (2804139) writes Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren't where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called 'Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering' that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. Once a hacker is able to sit in the traffic stream, they will be able to intercept a ballot in traffic and modify code strings representing votes and candidates within the PDF to change the submitted votes.

Nvidia Shield Tablet Gets Android Lollipop Update, Half Life 2 EP1 and GRID

timothy posted yesterday | from the oopmh-and-grace dept.

Android 48

MojoKid writes Nvidia's Shield Tablet is only a few months old, but Nvidia is already updating the device with a freshly minted OS, a refreshed Shield Hub and access to the company's newly upgraded GRID Game Streaming service. A number of new Tegra K1 optimized games are arriving as well, as well as a new game bundle which includes Half Life 2 Episode 1. The SHIELD Tablet Android Lollipop update will feature Android's new "material design" interface and improved app performance, according to Nvidia. The update will also come preloaded with a new version of Nvidia's own Dabbler drawing and painting app (Dabbler 2.0). In addition to a new interface inspired by Lollipop's design language, Dabbler 2.0 will offer full support for layers and it'll allow users to share their sessions over Twitch. Previously, accessing the Nvidia's GRID beta meant streaming games from a GRID server cluster on the west coast, but Nvidia is expanding the service with server clusters located in Virginia, Europe and Asia. For the best possible user experience, streaming games from the cloud must incur minimal latency, and adding more servers in strategic locations not only affords Nvidia greater capacity, but minimizes latency as well. Nvidia says the GRID service will be available in North America this month, Western Europe in December and Asia sometime next year. The company's GRID service gives gamers access to 20 top titles currently, including Batman Arkham City, Borderlands 2 and Psychonauts, among others, and Nvidia is planning to add new games every week.

Ask Slashdot: How To Unblock Email From My Comcast-Hosted Server?

timothy posted yesterday | from the why-not-hand-deliver-those-messages? dept.

Network 389

New submitter hawkbug writes For the past 15 years, I have hosted my own email server at home and it's been pretty painless. I had always used a local Denver ISP on a single static IP. Approximately two years ago, I switched to a faster connection, which now is hosted on Comcast. They provide me 5 static IPs and much faster speeds. It's a business connection with no ports blocked, etc. It has been mostly fine these last two years, with the occasional outage due to typical Comcast issues. About two weeks ago, I came across a serious issue. The following email services started rejecting all email from my server: Hotmail, Yahoo, and Gmail. I checked, and my IP is not on any real time blacklists for spammers, and I don't have any security issues. My mail server is not set as an open relay, and I use SPF records and pass all SPF tests. It appears that all three of those major email services started rejecting email from me based on a single condition: Comcast. I can understand the desire to limit spam — but here is the big problem: I have no way to combat this. With Gmail, I can instruct users to flag my emails as "not spam" because the emails actually go through, but simply end up in the spam folder. Yahoo and Hotmail on the other hand, just flat out reject the traffic at lower level. They send rejection notices back to my server that contain "tips" on how to make sure I'm not an open relay, causing spam, etc. Since I am not doing any of those things, I would expect some sort of option to have my IP whitelisted or verified. However, I can not find a single option to do so. The part that bugs me is that this happened two weeks ago with multiple major email services. Obviously, they are getting anti-spam policies from a central location of some kind. I don't know where. If I did, I could possibly go after the source and try to get my IP whitelisted. When I ask my other tech friends what they would do, they simply suggest changing ISPs. Nobody likes Comcast, but I don't have a choice here. I'm two years into a three-year contract. So, moving is not an option. Is there anything I can do to remedy this situation?

Popular Smartphones Hacked At Mobile Pwn2Own 2014

timothy posted yesterday | from the keep-it-in-a-faraday-cage dept.

Android 50

wiredmikey writes Researchers have hacked several popular smartphones during the Mobile Pwn2Own 2014 competition that took place alongside the PacSec Applied Security Conference in Tokyo this week. The competition, organized by HP's Zero Day Initiative (ZDI) targeted the Amazon Fire Phone, iPhone 5s, iPad Mini, BlackBerry Z30, Google Nexus 5 and Nexus 7, Nokia Lumia 1520, and Samsung Galaxy S5. Using various attacks, some Mobile Pwn2Own 2014 Pwnage included: Apple's iPhone 5s (hacked via the Safari Web browser, achieving a full sandbox escape); Samsung's Galaxy S5 (hacked multiple times using near-field communications attacks); Amazon's Fire Phone (Web browser exploited); Windows Phone (partial hacks using a browser attack), andthe Nexus 5 (a Wi-Fi attack, which failed to elevate privileges). All the exploits were disclosed privately to the affected companies. HP promised to reveal details in the upcoming weeks.

Senate May Vote On NSA Reform As Soon As Next Week

samzenpus posted yesterday | from the stop-looking-at-me dept.

United States 112

apexcp writes Senate Majority Leader (for now) Harry Reid announced he will be taking the USA FREEDOM Act to a floor vote in the Senate as early as next week. While the bill, if passed, would be the first significant legislative reform of the NSA since 9/11, many of the act's initial supporters have since disavowed it, claiming that changes to its language mean it won't do enough to curb the abuses of the American surveillance state

US Weather System and Satellite Network Hacked

samzenpus posted 2 days ago | from the all-your-weather-are-belong-to-us dept.

China 75

mpicpp writes with this story about Chinese hackers breaching the federal weather network. "Hackers attacked the U.S. weather system in October, causing a disruption in satellite feeds and several pivotal websites. The National Oceanic and Atmospheric Administration, NOAA, said that four of its websites were hacked in recent weeks. To block the attackers, government officials were forced to shut down some of its services. This explains why satellite data was mysteriously cut off in October, as well as why the National Ice Center website and others were down for more than a week. During that time, federal officials merely stated a need for "unscheduled maintenance." Still, NOAA spokesman Scott Smullen insisted that the aftermath of the attack "did not prevent us from delivering forecasts to the public." Little more is publicly known about the attack, which was first revealed by The Washington Post. It's unclear what damage, if any, was caused by the hack. But hackers managed to penetrate what's considered one of the most vital aspects of the U.S. government. The nation's military, businesses and local governments all rely on nonstop reports from the U.S. weather service."

Data Center Study Reveals Top 5 SMART Stats That Correlate To Drive Failures

samzenpus posted 2 days ago | from the about-to-go dept.

Data Storage 125

Lucas123 writes Backblaze, which has taken to publishing data on hard drive failure rates in its data center, has just released data from a new study of nearly 40,000 spindles revealing what it said are the top 5 SMART (Self-Monitoring, Analysis and Reporting Technology) values that correlate most closely with impending drive failures. The study also revealed that many SMART values that one would innately consider related to drive failures, actually don't relate it it at all. Gleb Budman, CEO of Backblaze, said the problem is that the industry has created vendor specific values, so that a stat related to one drive and manufacturer may not relate to another. "SMART 1 might seem correlated to drive failure rates, but actually it's more of an indication that different drive vendors are using it themselves for different things," Budman said. "Seagate wants to track something, but only they know what that is. Western Digital uses SMART for something else — neither will tell you what it is."

After Silk Road 2.0 Shutdown, Rival Dark Net Markets Grow Quickly

Soulskill posted 2 days ago | from the enjoy-the-calm-before-your-storm dept.

The Internet 85

apexcp writes: A week ago, Silk Road 2.0 was theatrically shut down by a global cadre of law enforcement. This week, the dark net is realigning. "In the wake of the latest police action against online bazaars, the anonymous black market known as Evolution is now the biggest Dark Net market of all time. Today, Evolution features 20,221 products for sale, a 28.8 percent increase from just one month ago and an enormous 300 percent increase over the past six months."

ISPs Removing Their Customers' Email Encryption

Soulskill posted 2 days ago | from the aggressively-anticonsumer dept.

Encryption 243

Presto Vivace points out this troubling new report from the Electronic Frontier Foundation: Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the U.S. and Thailand intercepting their customers' data to strip a security flag — called STARTTLS — from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.

By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.

US Postal Service Suspends Telecommuting Following Massive Breach

Soulskill posted 2 days ago | from the you-can't-go-home-again dept.

Security 48

An anonymous reader writes: The folks at the USPS have responded to the recent breach that exposed data on 800K employees and another some 2.8 million customers. They have suspended telecommuting for all employees until further notice while they replace their VPN with a more secure version. "Additionally, the postal service will upgrade some of its equipment and systems in the coming weeks and months as part of a broad security overhaul in response to the breach."

First Victims of the Stuxnet Worm Revealed

Soulskill posted 2 days ago | from the patient-zero dept.

Security 39

An anonymous reader writes: Analyzing more than 2,000 Stuxnet files collected over a two-year period, Kaspersky Lab can identify the first victims of the Stuxnet worm. Initially security researchers had no doubt that the whole attack had a targeted nature. The code of the Stuxnet worm looked professional and exclusive; there was evidence that extremely expensive zero-day vulnerabilities were used. However, it wasn't yet known what kind of organizations were attacked first and how the malware ultimately made it right through to the uranium enrichment centrifuges in the particular top secret facilities. Kaspersky Lab analysis sheds light on these questions.

Multi-Process Comes To Firefox Nightly, 64-bit Firefox For Windows 'Soon'

timothy posted 2 days ago | from the why-not-go-straight-to-640-bit dept.

Firefox 178

An anonymous reader writes with word that the Mozilla project has made two announcements that should make hardcore Firefox users very happy. The first is that multi-process support is landing in Firefox Nightly, and the second is that 64-bit Firefox is finally coming to Windows. The features are a big deal on their own, but together they show Mozilla's commitment to the desktop version of Firefox as they both improve performance and security. The news is part of a slew of unveilings from the company on the browser's 10th anniversary — including new Firefox features and the debut of Firefox Developer Edition.

Germans Can Get Free Heating From the Cloud

timothy posted 2 days ago | from the not-just-free-water dept.

Cloud 148

judgecorp writes The idea of re-using waste server heat is not new, but German firm Cloud&Heat seems to have developed it further than most. For a flat installation fee, the company will install a rack of servers in your office, with its own power and Internet connection. Cloud&Heat then pays the bills and you get the heat. As well as Heat customers, the firm wants Cloud customers, who can buy a standard OpenStack-based cloud compute and storage service on the web. The company guarantees that data is encrypted and held within Germany — at any one of its Heat customers' premises. In principle, it's a way to build a data center with no real estate, by turning its waste heat into an asset. A similar deal is promised by French firm Qarnot.

Gridlock In Action: Retailers Demand New Regulations To Protect Consumers

Soulskill posted 3 days ago | from the use-your-terrible-system-to-fix-your-terrible-system dept.

Government 126

chicksdaddy writes: How bad is the gridlock in Washington D.C.? So bad that the nation's retailers are calling for federal legislation on cyber security and data protection to protect consumer information — even though they would bear the brunt of whatever legislation is passed. The Security Ledger notes that groups representing many of the nation's retailers sent a letter (PDF) to Congressional leaders last week urging them to pass federal data protection legislation that sets clear rules for businesses serving consumers.

"The recent spate of news stories about data security incidents raises concerns for all American consumers and for the businesses with which they frequently interact," the letter reads. "A single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

Retailers would likely bear the brunt of a new federal data protection law. The motivation for pushing for one anyway may be simplicity. Currently, there are 47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam. There is broad, bi-partisan agreement on the need for a data breach and consumer protection law. However, small differences of opinion on its scope and provisions, exacerbated by political gridlock in Congress since 2010 have combined to stay the federal government's hand.
Meanwhile, reader schwit1 points out that banks are now starting to demand that retailers pay for all the financial damage their security breaches cause.

US Postal Service Hacked, 500k+ Employees and Public Data Breached

samzenpus posted 3 days ago | from the protect-ya-neck dept.

United States 46

An anonymous reader writes "The U.S. Postal Service has admitted that it has suffered a massive security breach, with the disclosure to hackers of the personal details of over 500,000 USPS workers, along with details supplied by members of the public when contacting Postal Service call centers between January and mid-August of 2014. The breach is a hard blow to the integrity and reputation of the USPS's internal security set-up, the Corporate Information Security Office (CISO). In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network, 66,734 attempts to distribute credit-card information, 1,278 attempts to reveal USPS-ordained credit-card transactions and 345,342 attempts to distribute social security numbers.

Book Review: Countdown To Zero Day

samzenpus posted 3 days ago | from the read-all-about-it dept.

Books 58

benrothke writes A word to describe the book Takedown: The Pursuit and Capture of Americas Most Wanted Computer Outlaw was hyperbole. While the general storyline from the 1996 book was accurate, filler was written that created the legend of Kevin Mitnick. This in turn makes the book a near work of historical fiction. Much has changed in nearly 20 years and Countdown to Zero Day: Stuxnet and the Launch of the Worlds First Digital Weapon has certainly upped the ante for accurate computer security journalism. The book is a fascinating read and author Kim Zetters attention to detail and accuracy is superb. In the inside cover of the book, Kevin Mitnick describes this as an ambitious, comprehensive and engrossing book. The irony is not lost in that Mitnick was dogged by misrepresentations in Markoff's book. Keep reading for the rest of Ben's review.

Report: Federal Workers, Contractors Behind Half of Government Cyber Breaches

samzenpus posted 3 days ago | from the who's-to-blame dept.

United States 61

schwit1 writes Federal employees and contractors are unwittingly undermining a $10 billion-per-year effort to protect sensitive government data from cyberattacks, according to a published report. The AP says that workers in more than a dozen agencies, from the Defense and Education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an analysis of records.

Eben Upton Explains the Raspberry Pi Model A+'s Redesign

samzenpus posted 4 days ago | from the straight-from-the-horses-mouth dept.

Education 105

M-Saunders writes It's cheaper, it's smaller, and it's curvier: the new Raspberry Pi Model A+ is quite a change from its predecessor. But with Model Bs selling more in a month than Model As have done in the lifetime of the Pi, what's the point in releasing a new model? Eben Upton, a founder of the Raspberry Pi Foundation, explains all. "It gives people a really low-cost way to come and play with Linux and it gives people a low-cost way to get a Raspberry Pi. We still think most people are still going to buy B+s, but it gives people a way to come and join in for the cost of 4 Starbucks coffees."

Slashdot Login

Need an Account?

Forgot your password?