Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Data Archiving Standards Need To Be Future-Proofed

timothy posted 6 hours ago | from the nothing-is-totally-future-proof dept.

Data Storage 71

storagedude writes Imagine in the not-too-distant future, your entire genome is on archival storage and accessed by your doctors for critical medical decisions. You'd want that data to be safe from hackers and data corruption, wouldn't you? Oh, and it would need to be error-free and accessible for about a hundred years too. The problem is, we currently don't have the data integrity, security and format migration standards to ensure that, according to Henry Newman at Enterprise Storage Forum. Newman calls for standards groups to add new features like collision-proof hash to archive interfaces and software.

'It will not be long until your genome is tracked from birth to death. I am sure we do not want to have genome objects hacked or changed via silent corruption, yet this data will need to be kept maybe a hundred or more years through a huge number of technology changes. The big problem with archiving data today is not really the media, though that too is a problem. The big problem is the software that is needed and the standards that do not yet exist to manage and control long-term data,' writes Newman.

Microsoft Kills Off Its Trustworthy Computing Group

timothy posted 12 hours ago | from the but-you-can-totally-trust-it dept.

Microsoft 80

An anonymous reader writes Microsoft's Trustworthy Computing Group is headed for the axe, and its responsibilities will be taken over either by the company's Cloud & Enterprise Division or its Legal & Corporate Affairs group. Microsoft's disbanding of the group represents a punctuation mark in the industry's decades-long conversation around trusted computing as a concept. The security center of gravity is moving away from enterprise desktops to cloud and mobile and 'things,' so it makes sense for this security leadership role to shift as well. According to a company spokesman, an unspecified number of jobs from the group will be cut. Also today, Microsoft has announced the closure of its Silicon Valley lab. Its research labs in Redmond, New York, and Cambridge (in Massachusetts) will pick up some of the closed lab's operations.

Google's Doubleclick Ad Servers Exposed Millions of Computers To Malware

timothy posted 13 hours ago | from the but-zedo-is-awesome dept.

Advertising 127

wabrandsma (2551008) writes with this excerpt from The Verge: Last night, researchers at Malwarebytes noticed strange behavior on sites like Last.fm, The Times of Israel and The Jerusalem Post. Ads on the sites were being unusually aggressive, setting off anti-virus warnings and raising flags in a number of Malwarebytes systems. After some digging, researcher Jerome Segura realized the problem was coming from Google's DoubleClick ad servers and the popular Zedo ad agency. Together, they were serving up malicious ads designed to spread the recently identified Zemot malware. A Google representative has confirmed the breach, saying "our team is aware of this and has taken steps to shut this down."

Dropbox and Google Want To Make Open Source Security Tools Easy To Use

Soulskill posted yesterday | from the bang-your-head-on-the-screen-to-unlock-your-forehead-profile dept.

Open Source 19

An anonymous reader writes: Dropbox, Google, and the Open Technology Fund have announced a new organization focused on making open source security tools easier to use. Called Simply Secure, the initiative brings together security researchers with experts in user interaction and design to boost adoption rates for consumer-facing security solutions. The companies point out that various security options already do exist, and are technically effective. Features like two-factor authentication remain useless, however, because users don't adopt them due to inconvenience or technical difficulty.

TrueCrypt Gets a New Life, New Name

Soulskill posted yesterday | from the and-hopefully-won't-disappear-into-the-void dept.

Encryption 214

storagedude writes: Amid ongoing security concerns, the popular open source encryption program TrueCrypt may have found new life under a new name. Under the terms of the TrueCrypt license — which was a homemade open source license written by the authors themselves rather than a standard one — a forking of the code is allowed if references to TrueCrypt are removed from the code and the resulting application is not called TrueCrypt. Thus, CipherShed will be released under a standard open source license, with long-term ambitions to become a completely new product.

Home Depot Says Breach Affected 56 Million Cards

Soulskill posted yesterday | from the going-for-the-high-score dept.

Security 77

wiredmikey writes: Home Depot said on Thursday that a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014. While previous reports speculated that Home Depot had been hit by a variant of the BlackPOS malware that was used against Target Corp., the malware used in the attack against Home Depot had not been seen previously in other attacks. "Criminals used unique, custom-built malware to evade detection," the company said in a statement. The home improvement retail giant also that it has completed a "major payment security project" that provides enhanced encryption of payment card data at point of sale in its U.S. stores. According to a recent report from Trend Micro (PDF), six new pieces of point-of-sale malware have been identified so far in 2014.

Next Android To Enable Local Encryption By Default Too, Says Google

timothy posted 2 days ago | from the keep-it-to-yourself-bub dept.

Encryption 125

An anonymous reader writes The same day that Apple announced that iOS 8 will encrypt device data with a local code that is not shared with Apple, Google has pointed out that Android already offers the same feature as a user option and that the next version will enable it by default. The announcements by both major cell phone [operating system makers] underscores a new emphasis on privacy in the wake of recent government surveillance revelations in the U.S. At the same time, it leaves unresolved the tension between security and convenience when both companies' devices are configured to upload user content to iCloud and Google+ servers for backup and synchronization across devices, servers and content to which Apple and Google do have access.

Apple Will No Longer Unlock Most iPhones, iPads For Police

timothy posted 2 days ago | from the just-what-they-want-you-to-think-part-827398 dept.

Encryption 494

SternisheFan writes with this selection from a story at the Washington Post: Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user data. The move, announced with the publication of a new privacy policy tied to the release of Apple's latest mobile operating system, iOS 8, amounts to an engineering solution to a legal dilemma: Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that makes it almost impossible for the company – or anyone else but the device's owner – to gain access to the vast troves of user data typically stored on smartphones or tablet computers. The key is the encryption that Apple mobile devices automatically put in place when a user selects a passcode, making it difficult for anyone who lacks that passcode to access the information within, including photos, e-mails, recordings or other documents. Apple once kept possession of encryption keys that unlocked devices for legally binding police requests, but will no longer do so for iOS8, it said in a new guide for law enforcement. "Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data," Apple said on its Web site. "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."

US Military Aware Only Belatedly of Chinese Attacks Against Transport Contractor

timothy posted 2 days ago | from the oh-did-that-happen? dept.

China 13

itwbennett writes The Senate Armed Service Committee released on Wednesday an unclassified version of a report (PDF) commissioned last year to investigate cyberattacks against contractors for the U.S. Transportation Command (TRANSCOM). The report alleges that the Chinese military successfully stole emails, documents, login credentials and more from contractors, but few of those incidents were ever reported to TRANSCOM. During a one-year period starting in June 2012, TRANSCOM contractors endured more than 50 intrusions, 20 of which were successful in planting malware. TRANSCOM learned of only two of the incidents. The FBI, however, was aware of 10 of the attacks.

Tinba Trojan Targets Major US Banks

samzenpus posted 2 days ago | from the protect-ya-neck dept.

Security 60

An anonymous reader writes Tinba, the tiny (20 KB) banking malware with man-in-the-browser and network traffic sniffing capabilities, is back. After initially being made to target users of a small number of banks, that list has been amplified and now includes 26 financial institutions mostly in the US and Canada, but some in Australia and Europe as well. Tinba has been modified over the years, in an attempt to bypass new security protections set up by banks, and its source code has been leaked on underground forums a few months ago. In this new campaign, the Trojan gets delivered to users via the Rig exploit kit, which uses Flash and Silverlight exploits. The victims get saddled with the malware when they unknowingly visit a website hosting the exploit kit."

Ask Slashdot: Remote Support For Disconnected, Computer-Illiterate Relatives

samzenpus posted 2 days ago | from the help-me-please dept.

IT 333

An anonymous reader writes I use email to communicate with my folks overseas. Their ISP only allows dial-up access to their email account (there is no option of changing ISP), that can receive messages no larger than 1MB nor hold more than 15MB (no hope of changing that either). They are computer-illiterate, click on everything they receive, and take delight on sending their information to any Nigerian prince that contacts them, "just in case this one is true". Needless to say, their PC is always full of viruses and spyware. In my next yearly visit, instead of just cleaning it up, I'd like to gift them with some "hardened" PC to use for email only that would hopefully last the year before someone has to fix it. So far, these are the things I have in mind:

  • Some kind of linux distro, or maybe even mac. Most viruses over there are windows only and propagate via Autorun.inf or by email attachments, not having Windows could prevent both.
  • Some desktop environment that hides anything unrelated to connecting to the net and accessing their account (dial-up software, email client, web browser, exchanging files between their hard disk/email attachments and USB drives). By "hide", I just want the rest to be out of the way, but not entirely removed, so that if necessary, I can guide them over the phone. For this, Ubuntu's Unity seems like a particularly bad solution, but a Gnome desktop with non-removable desktop shortcuts (is this possible?) for the file manager, browser, email client and dial-up program could work. An android system is unlikely to work (they have no wifi, and they were utterly confused with Android's UI).
  • This could be a life saver: some kind of extension to the email client that executes commands on specially formatted emails (e.g., signed with my private key), so that I can do some basic diagnostics or install extra software if I have to. This las point is important: they currently rely on acquaintances who may not be competent (they can't evaluate that) if something happens between my visits. They, most likely, wont know how to deal with anything non-windows, so all tech support would fall on me. (This is the reason I haven't moved them from windows yet.)
  • Another very useful extension would be something to automatically re-assemble attachments split into several emails, to overcome the 1MB message limit.

Does any of that exist? If I have to build that system myself (or parts of it), do you have other suggestions? For the inevitable and completely reasonable suggestion of getting someone competent for tech support: I've tried that too. The competent ones don't last beyond the third visit.

Use of Forced Labor "Systemic" In Malaysian IT Manufacturing

samzenpus posted 2 days ago | from the passing-on-the-savings-and-the-misery dept.

Businesses 182

itwbennett (1594911) writes "The use of forced labor is so prevalent in the Malaysian electronics manufacturing industry that there is hardly a major brand name that isn't touched by the illegal practice, according to a report funded by the U.S. Department of Labor and undertaken by Verité, a nonprofit organization focused on labor issues. The two-year study surveyed more than 500 migrant workers at around 200 companies in Malaysia's IT manufacturing sector and found one in three were working under conditions of forced labor."

eBay Redirect Attack Puts Buyers' Credentials At Risk

samzenpus posted 2 days ago | from the steal-it-now dept.

Security 37

mrspoonsi points out this BBC story about an eBay breach that was directing users to a spoof site. "eBay has been compromised so that people who clicked on some of its links were automatically diverted to a site designed to steal their credentials. The spoof site had been set up to look like the online marketplace's welcome page. The firm was alerted to the hack on Wednesday night but removed the listings only after a follow-up call from the BBC more than 12 hours later. One security expert said he was surprised by the length of time taken. 'EBay is a large company and it should have a 24/7 response team to deal with this — and this case is unambiguously bad,' said Dr Steven Murdoch from University College London's Information Security Research Group. The security researcher was able to analyze the listing involved before eBay removed it. He said that the technique used was known as a cross-site scripting (XSS) attack."

NSA Director Says Agency Is Still Trying To Figure Out Cyber Operations

Soulskill posted 3 days ago | from the i-don't-think-the-mr-magoo-routine-is-going-to-work dept.

Government 103

Trailrunner7 writes: In a keynote speech at a security conference in Washington on Tuesday, new NSA Director Mike Rogers emphasized a need to establish behavioral norms for cyber war. "We're still trying to work our way through distinguishing the difference between criminal hacking and an act of war," said Rogers. "If this was easy, we would have figured it out years ago. We have a broad consensus about what constitutes an act of war, what's an act of defense." Rogers went on to explain that we need to better establish standardized terminology and standardized norms like those that exist in the realm of nuclear deterrence. Unfortunately, unlike in traditional national defense, we can not assume that the government will be able to completely protect us against cyber-threats because the threat ecosystem is just too broad.

Why Is It Taking So Long To Secure Internet Routing?

Soulskill posted 3 days ago | from the adoption-is-driven-by-fear dept.

Networking 85

CowboyRobot writes: We live in an imperfect world where routing-security incidents can still slip past deployed security defenses, and no single routing-security solution can prevent every attacks. Research suggests, however, that the combination of RPKI (Resource Public Key Infrastructure) with prefix filtering could significantly improve routing security; both solutions are based on whitelisting techniques and can reduce the number of autonomous systems that are impacted by prefix hijacks, route leaks, and path-shortening attacks. "People have been aware of BGP’s security issues for almost two decades and have proposed a number of solutions, most of which apply simple and well-understood cryptography or whitelisting techniques. Yet, many of these solutions remain undeployed (or incompletely deployed) in the global Internet, and the vulnerabilities persist. Why is it taking so long to secure BGP?"

Tim Cook Says Apple Can't Read Users' Emails, That iCloud Wasn't Hacked

timothy posted 3 days ago | from the our-cooperation-was-strictly-reluctant dept.

Cloud 191

Apple CEO Tim Cook insists that Apple doesn't read -- in fact, says Cook, cannot read -- user's emails, and that the company's iCloud service wasn't hacked. ZDNet presents highlights from Cook's lengthy, two-part interview with Charlie Rose. One selection of particular interest: Apple previously said that even it can't access iMessage and FaceTime communications, stating that such messages and calls are not held in an "identifiable form." [Cook] claimed if the government "laid a subpoena," then Apple "can't provide it." He said, bluntly: "We don't have a key... the door is closed." He reiterated previous comments, whereby Apple has said it is not in the business of collecting people's data. He said: "When we design a new service, we try not to collect data. We're not reading your email." Cook went on to talk about PRISM in more detail, following the lead from every other technology company implicated by those now-infamous PowerPoint slides.

New Release of MINIX 3 For x86 and ARM Is NetBSD Compatible

timothy posted 3 days ago | from the big-and-fancy dept.

Open Source 93

An anonymous reader writes MINIX 3 is a small POSIX-compliant operating system aimed at high reliability (embedded) applications. A major new version of MINIX 3 (3.3.0) is now available for download at www.minix3.org. In addition to the x86, the ARM Cortex A8 is now supported, with ports to the BeagleBoard and BeagleBones available. Finally, the entire userland has been redone in 3.3.0 to make it NetBSD compatible, with thousands of NetBSD packages available out of the box. MINIX 3 is based on a tiny (13 KLoC) microkernel with the operating system running as a set of protected user-mode processes. Each device driver is also a separate process. If a driver fails, it is automatically and transparently restarted without rebooting and without applications even noticing, making the system self-healing. The full announcement, with links to the release notes and notes on installation, can be found at the Minix Google Groups page.

Canon Printer Hacked To Run Doom Video Game

samzenpus posted 4 days ago | from the print-or-play dept.

Security 89

wiredog writes Security researcher Michael Jordon has hacked a Canon's Pixma printer to run Doom. He did so by reverse engineering the firmware encryption and uploading via the update interface. From the BBC: "Like many modern printers, Canon's Pixma range can be accessed via the net, so owners can check the device's status. However, Mr Jordon, who works for Context Information Security, found Canon had done a poor job of securing this method of interrogating the device. 'The web interface has no user name or password on it,' he said. That meant anyone could look at the status of any device once they found it, he said. A check via the Shodan search engine suggests there are thousands of potentially vulnerable Pixma printers already discoverable online. There is no evidence that anyone is attacking printers via the route Mr Jordon found."

New Details About NSA's Exhaustive Search of Edward Snowden's Emails

samzenpus posted 4 days ago | from the taking-a-good-look dept.

Government 200

An anonymous reader points out this Vice story with new information about the NSA's search of Edward Snowden's emails. Last year, the National Security Agency (NSA) reviewed all of Edward Snowden's available emails in addition to interviewing NSA employees and contractors in order to determine if he had ever raised concerns internally about the agency's vast surveillance programs. According to court documents the government filed in federal court September 12, NSA officials were unable to find any evidence Snowden ever had.

In a sworn declaration, David Sherman, the NSA's associate director for policy and records, said the agency launched a "comprehensive" investigation after journalists began to write about top-secret NSA spy programs upon obtaining documents Snowden leaked to them. The investigation included searches of any records where emails Snowden sent raising concerns about NSA programs "would be expected to be found within the agency." Sherman, who has worked for the NSA since 1985, is a "original classification authority," which means he can classify documents as "top-secret" and process, review, and redact records the agency releases in response to Freedom of Information Act (FOIA) requests.

In his declaration, Sherman detailed steps he said agency officials took to track down any emails Snowden wrote that contained evidence he'd raised concerns inside the agency. Sherman said the NSA searched sent, received, deleted emails from Snowden's account and emails "obtained by restoring back-up tapes." He noted that NSA officials reviewed written reports and notes from interviews with "NSA affiliates" with whom the agency spoke during its investigation.

Malware Distributed Through Twitch Chat Is Hijacking Steam Accounts

samzenpus posted 5 days ago | from the protect-ya-neck dept.

Security 53

An anonymous reader writes If you use Twitch don't click on any suspicious links in the video streaming platform's chat feature. Twitch Support's official Twitter account issued a security warning telling users not to click the "csgoprize" link in chat. According to f-secure, the link leads to a Java program that asks for your name and email. If you provide the info it will install a file on your computer that's able to take out any money you have in your Steam wallet, as well as sell or trade items in your inventory. "This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry," says F-Secure. "It even dumps your items for a discount in the Steam Community Market. Previous variants were selling items with a 12 percent discount, but a recent sample showed that they changed it to 35 percent discount. Perhaps to be able to sell the items faster."

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>