Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014

Soulskill posted about 4 months ago | from the foxes-provide-the-best-sport dept.

Firefox 207

darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."

Ask Slashdot: Best Management Interface On an IT Appliance?

timothy posted about 4 months ago | from the one-you-never-need dept.

GUI 114

tippen writes "The management user interface on most networking and storage appliances are, shall we say, not up to the snuff compared to modern websites or consumer products. What are the best examples of good UX design on an IT appliance that you've managed? What was it that made you love it? What should companies (or designers) developing new products look to as best-in-class that they should be striving for?"

How Data Storage Has Grown In the Past 60 Years

timothy posted about 4 months ago | from the megaleaps-and-gigabounds dept.

Data Storage 100

Lucas123 writes "Imagine that in 1952, an IBM RAMAC 350 disk drive would have been able to hold only one .MP3 song. Today, a 4TB 3.5-in desktop drive (soon to be 5TB) can hold 760,000 songs. As much data as the digital age creates (2.16 Zettabytes and growing), data storage technology has always found a way to keep up. It is the fastest growing semiconductor technology there is. Consider a microSD card that in 2005 could store 128MB of capacity. Last month, SanDisk launched a 128GB microSD card — 1,000 times the storage in under a decade. While planar NAND flash is running up against a capacity wall, technology such as 3D NAND and Resistive Random Access Memory (RRAM) hold the promise of quadrupling of solid state capacity. Here are some photos of what was and what is in data storage."

U.S. Aims To Give Up Control Over Internet Administration

timothy posted about 4 months ago | from the at-long-last dept.

The Internet 279

schwit1 writes with this excerpt from the Washington Post: "U.S. officials announced plans Friday to relinquish federal government control over the administration of the Internet, a move likely to please international critics but alarm some business leaders and others who rely on smooth functioning of the Web.

Pressure to let go of the final vestiges of U.S. authority over the system of Web addresses and domain names that organize the Internet has been building for more than a decade and was supercharged by the backlash to revelations about National Security Agency surveillance last year."
Reader Midnight_Falcon points out this press release on the move from Commerce Department’s National Telecommunications and Information Administration.

Target Ignored Signs of Data Breach

Soulskill posted about 4 months ago | from the making-themselves-quite-a-target dept.

Security 95

puddingebola writes "Target ignored indications from its threat-detection tools that malware had infected its network. From the article, 'Unusually for a retailer, Target was even running its own security operations center in Minneapolis, according to a report published Thursday by Bloomberg Businessweek. Among its security defenses, following a months-long testing period and May 2013 implementation, was software from attack-detection firm FireEye, which caught the initial November 30 infection of Target's payment system by malware. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.' Unfortunately, it appears Target's security team failed to act on the threat indicators."

Weak Apple PRNG Threatens iOS Exploit Mitigations

Soulskill posted about 4 months ago | from the also-makes-you-lose-at-poker dept.

Encryption 143

Trailrunner7 writes "A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS. 'The Early Random PRNG in iOS 7 is surprisingly weak,' said Tarjei Mandt senior security researcher at Azimuth Security. 'The one in iOS 6 is better because this one is deterministic and trivial to brute force.' The Early Random PRNG is important to securing the mitigations used by the iOS kernel. 'All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,' Mandt said. 'It must provide sufficient entropy and non-predictable output.'"

A Look at the NSA's Most Powerful Internet Attack Tool

samzenpus posted about 4 months ago | from the big-gun dept.

United States 154

realized writes in with a closer look at the NSA's QUANTUM system. "Today QUANTUM packs a suite of attack tools, including both DNS injection (upgrading the man-on-the-side to a man-in-the-middle, allowing bogus certificates and similar routines to break SSL) and HTTP injection. That reasonable enough. But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party's database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.) And it allows the NSA to hijack both IRC and HTTP-based criminal botnets, and also includes routines which use packet-injection to create phantom servers, and even attempting (poorly) to use this for defense."

What If the Next Presidential Limo Was a Tesla?

timothy posted about 4 months ago | from the anything-that'll-turn-into-a-pumpkin-please dept.

Government 330

cartechboy writes "The presidential limo is known as "The Beast," and it's getting to be about that time where it's replaced. Currently The Beast is a General Motors creation with a Cadillac badge, but what if the next presidential limo was a Tesla? Stick with me here. The Beast is a massive vehicle, which means there would be plenty of room in the structure to have a long battery pack a la Model S. Plus, it could use the upcoming Model X's all-wheel-drive system. Tesla's air suspension would keep it from encountering high-centering issues. There could even be a charging port on both the front and back so a battery truck could hook up while driving, like in-flight refueling. Obviously the battery pack would need to have extra protection so it wouldn't have any issues with road debris, but that's a minor issue. Tesla is an American company, and that's a requirement for The Beast. So is it that far fetched to think the next presidential limo could be a Tesla?"

1GB of Google Drive Storage Now Costs Only $0.02 Per Month

timothy posted about 4 months ago | from the even-I-can-do-that-math dept.

Google 335

SmartAboutThings writes "Up until today, I always had the impression that cloud storage was pretty expensive and I'm sure that many will agree with me. It's a good thing that some bright minds over at Google have the same impressions as they now have drastically discounted the monthly storage plans on Google Drive. The new monthly storage plans and their previous prices are as follows: $1.99 for 100GB (previously $4.99), $9.99 for 1TB (previously $49.99), and $99.99 for 10TB.The 2 dollar plan per month means that the price for a gigabyte gets down to an incredibly low price of only two cents per month."

TrustyCon was the 'Rebel Conference' Across the Street From RSA 2014 (Video)

Roblimo posted about 4 months ago | from the the-most-interesting-people-are-often-in-the-rebel-groups dept.

Security 20

RSA holds big-time annual security conferences. The 2014 U.S. edition had 25,000 attendees, Stephen Colbert as the closing keynote speaker, and a major controversy (and some anger) from potential speakers and attendees over RSA's reputed $10 million contract with NSA to make sure the company's encryption software had back doors the secretive agency could use to spy on people and companies that use RSA software. This is part of a story that might be called The Snowden Revelations if it is made into a movie, but right now it's still controversial, and enough of a bombshell in the IT security industry that F-Secure's Mikko Hyppönen decided not to speak at this year's U.S. RSA conference, followed by Bruce Schneier, DEFCON founder Jeff Moss, Princeton professor Ed Felten, and other security luminaries.

And so, TrustyCon -- the Trustworthy Technology Conference -- was born. It was a sellout, with 400 people attending at $50 a head, and another 300 on a waiting list who couldn't get in. Slashdot's Tim Lord managed to get in, and got to speak briefly with several people there, including one of the TrustyCon organizers, Joel Wallenstrom. These were crude interviews, done on a "catch as catch can" basis, and the sound in them is poor. (Google sent a camera crew and shot over seven hours of the conference speakers, which you can watch on YouTube if you want to view TrustyCon presentations in good HD with great sound.). Will there be another TrustyCon next year? According to The Register, "The conference organizers said that, at this point, the plan is to hold another get-together next year, but that a final decision will be made closer to the time."

Replicant Hackers Find and Close Samsung Galaxy Back-door

timothy posted about 4 months ago | from the in-their-spare-time dept.

Handhelds 81

gnujoshua writes "Paul Kocialkowski (PaulK), a developer for the Replicant project, a fully free/libre version of Android, wrote a guest blog post for the Free Software Foundation announcing that whlie hacking on the Samsung Galaxy, they "discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system." They then replaced the proprietary program with free software.

While it may be a while before we can have a 100% free software microcode/firmware on the the cellular hardware itself, isolating that hardware from the rest of your programming and data is a seemingly important step that we can take right now. At least to the FSF anyhow. What do others think: is a 100% free software mobile device important to you?"

Replicant OS Developers Find Backdoor In Samsung Galaxy Devices

Soulskill posted about 4 months ago | from the caught-out dept.

Android 126

An anonymous reader writes "Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S. The research indicates the proprietary Android versions have a blob handling communication with the modem using Samsung's IPC protocol and in turn there's a set of commands that allow the modem to do remote I/O operations on the phone's storage. Replicant's open-source version of Android does away with the Samsung library to fend off the potential backdoor issue."

How the NSA Plans To Infect 'Millions' of Computers With Malware

Soulskill posted about 4 months ago | from the sudo-apt-get-install-nsa-malware dept.

Government 234

Advocatus Diaboli sends news from The Intercept about leaked documents which show that the NSA is significantly expanding its efforts to build an automated system to compromise computers remotely. From the article: "The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to 'allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.' In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the 'Expert System,' which is designed to operate 'like the brain.' The system manages the applications and functions of the implants and 'decides' what tools they need to best extract data from infected machines."

Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight

timothy posted about 4 months ago | from the pressure-cooker dept.

Security 58

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."

Top E-commerce Sites Fail To Protect Users From Stupid Passwords

timothy posted about 4 months ago | from the use-uno-dos-tres-instead dept.

Security 162

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

Unknown Lamer posted about 4 months ago | from the security-through-obscurity dept.

Security 66

msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."

University of Cambridge Develops Potentially More Secure Password Storage System

Unknown Lamer posted about 4 months ago | from the tpm-minus-bad-things dept.

Encryption 70

An anonymous reader writes "University of Cambridge's S-CRIB Scrambler resides in a Raspberry Pi and performs a hash-based message authentication code (HMAC). 'The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it's not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.' There are pros and cons associated with this method, of course, ranging from scalability to loss of access due to device hardware failure. As with all current options for password security, there's no guarantee that even this system remains secure."

SXSW: Edward Snowden Swipes At NSA

samzenpus posted about 4 months ago | from the I-stab-at-thee dept.

Privacy 116

Nerval's Lobster writes "In a Google Hangout with an auditorium full of South by Southwest attendees, government whistleblower (and former NSA employee) Edward Snowden suggested that encrypted communication should become more ubiquitous and easier to use for the majority of Internet denizens. 'The way we interact with [encrypted email and communications] is not good,' he said from somewhere within Russia, where he resides under the conditions of a one-year asylum. 'It needs to be out there, it needs to happen automatically, it needs to happen seamlessly.' For his part, Snowden still believes that companies should store user data that contributes directly to their respective business: 'It's not that you can't collect any data, you should only collect the data and hold it as long as necessary for the operation of the business.' He also couldn't resist some choice swipes at his former employer, accusing high-ranking intelligence officials Michael Hayden and Keith Alexander of harming the world's cyber-security—and by extension, United States national security—by emphasizing offensive operations over the defense of communications. 'America has more to lose than anyone else when every attack succeeds,' Snowden said. 'When you are the one country that has sort of a vault that's more full than anyone else's, it makes no sense to be attacking all day.'"

Author Says It's Time To Stop Glorifying Hackers

samzenpus posted about 4 months ago | from the no-praise-for-you dept.

Security 479

First time accepted submitter Geste writes "Diane McWhorter pleads in this NYT Op-Ed piece that it's time to stop glorifying hackers. Among other things she rails against providers' tendencies to 'blame the victim' with advice on improved password discipline. Interesting, but what lesson are we to learn from someone who emails lists of passwords to herself?"

US Intelligence Officials To Monitor Federal Employees With Security Clearances

samzenpus posted about 4 months ago | from the watching-the-watchers dept.

United States 186

First time accepted submitter Trachman writes in with news about a monitoring program designed to help stop future leaks of government documents. "U.S. intelligence officials are planning a sweeping system of electronic monitoring that would tap into government, financial and other databases to scan the behavior of many of the 5 million federal employees with secret clearances, current and former officials told The Associated Press. The system is intended to identify rogue agents, corrupt officials and leakers, and draws on a Defense Department model under development for more than a decade, according to officials and documents reviewed by the AP."

Eric Schmidt, Jared Cohen Say Google Data Now Protected From Gov't Spying

timothy posted about 4 months ago | from the now-how-to-effectively-test? dept.

Privacy 155

An anonymous reader writes "Google's Eric Schmidt and Jared Cohen were [part of a] wide-ranging session at SXSW today and they revealed that Google's data is now safely protected from the prying eyes of government organizations. In the last few days Google upgraded its security measure following revelations that Britain's GCHQ had intercepted data being transmitted between Google datacenters, Schmidt said that his company's upgrades following the incident left him 'pretty sure that information within Google is now safe from any government's prying eyes.'"

Portal 2 Incompatible With SELinux

timothy posted about 4 months ago | from the are-you-telling-us-the-whole-truth? dept.

Bug 212

jones_supa writes "Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted. A crash is caused by the game's interaction with SELinux, the Linux kernel subsystem that deals with access control security policies. Portal 2 uses the third-party Miles Sound System MP3 decoder which, in turn, uses execheap, a feature that is normally disabled by SELinux. Like its name suggests, execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that particular memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code. In the end, Valve developer David W. took responsibility of the problem: 'I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it.' This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction."

The Tangled Tale of Mt. Gox's Missing Millions

timothy posted about 4 months ago | from the when-things-go-wrong dept.

Bitcoin 191

jfruh writes "What went wrong to produce the spectacular implosion of bitcoin repository Mt. Gox? Well, according to some preliminary investigation from the IDG News Service, pretty much everything. There was a lack of management oversight and 'culture,' the code running the site was a mess, and the CEO seemed more concerned about his plans for a 'Bitcoin cafe' than he was about his Japanese bank closing the company's account."

KDE Releases Calligra Suite 2.8

timothy posted about 4 months ago | from the consistently-impressive dept.

KDE 35

It's not just graphics app Krita: user KDE Community writes "The Calligra team is proud and pleased to announce the release of version 2.8 of the Calligra Suite, Calligra Active and the Calligra Office Engine. Major new features in this release are comments support in Author and Words, improved Pivot tables in Sheets, improved stability and the ability to open hyperlinks in Kexi. Flow introduces SVG based stencils and as usual there are many new features in Krita including touch screens support and a wraparound painting mode for the creation of textures and tiles." KDE has also just announced the first beta of its Applications and Platform 4.13.

TrustyCon Session Videos Now Online

Unknown Lamer posted about 5 months ago | from the grab-some-popcorn dept.

Media 6

The RSA conference counter-conference TrustyCon livestreamed its videos and made the seven hour video available. Al Billings wasn't happy with that, and split the videos into segments for easy viewing. Quoting: "I don't know about you but I like my viewing in smaller chunks. I also tend to listen to talks and presentations, especially when there is no strong visual component, by saving the audio portion of it to my huffduffer account and listening to the resulting feed as a podcast. I took it on myself to do a quick and dirty slice and dice on the seven plus hour video. It isn't perfect (I'm a program manager, not a video editor!) but it works. ... Additionally, I extracted the audio from each of these files and put an audio collection up on the Internet Archive, for people like me who just want to listen to them." The videos are collected into a Youtube playlist.

HTTPS More Vulnerable To Traffic Analysis Attacks Than Suspected

Unknown Lamer posted about 5 months ago | from the working-out-the-bugs dept.

Encryption 17

msm1267 writes "Researchers have built new attack techniques against HTTPS traffic that have been effective in learning details on users' surfing habits, leaking sensitive data that could impact privacy. They tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in a research paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said. 'We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,' the paper said. 'Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.'"

New Tool Makes Android Malware Easier To Create

samzenpus posted about 5 months ago | from the a-b-c-1-2-3 dept.

Security 42

itwbennett writes "A new commercial tool designed to allow cybercriminals to easily transform legitimate Android applications into malicious software has hit the underground market, paving the way for cheap and easy development of sophisticated Android malware. Security researchers from Symantec said Wednesday in a blog post that the tool, called Dendroid, is marketed by its creators as an Android remote administration tool (RAT) and is being sold for $300."

Pwnie Express Rides Again at RSA 2014 (Video)

Roblimo posted about 5 months ago | from the a-cute-name-plus-open-source-pen-testing-tickles-our-keys dept.

Security 12

The intro to our first video interview with Pwnie Express 'Founder and CEO and everything else' Dave Porcello back in 2012 started with this sentence: 'Pwnie Express is a cute name for this tiny (and easily hidden) group of Pen Test devices.' They have more tools now, including some they've released since we mentioned them and their (then) new Pwn Pad back in March, 2013. Now they're working with Kali Linux, a distro built especially for penetration testing (and formerly known as BackTrack). In this video we have Tim Lord chatting with Dave Porcello about recent Pwnie Express happenings at RSA 2014. (If you don't see the video below, please use this link.)

New Mozilla Encoder Improves JPEG Compression

timothy posted about 5 months ago | from the 6-percent's-a-lot dept.

Software 155

jlp2097 writes "As reported by Heise, Mozilla has introduced a new JPEG encoder (German [Google-translated to English]) called mozjpeg. Mozjpeg promises to be a 'production-quality JPEG encoder that improves compression while maintaining compatibility with the vast majority of deployed decoders.' The Mozilla Research blog states that Mozjpeg is based on libjpeg-turbo with functionality added from jpgcrush. They claim an average of 2-6% of additional compression for files encoded with libjpeg and 10% additional compression for a sample of 1500 jpegs from Wikipedia — while maintaining the same image quality."

Target Rich Environment: Mobile Malware in China

timothy posted about 5 months ago | from the making-it-up-on-volume dept.

China 11

An anonymous reader writes with this excerpt from Help-Net Security (based on the linked Trend Micro report): "Every country's cybercriminal underground market has distinct characteristics, and with 500 million national mobile Internet users and the number continuously rising, the Chinese underground market is awash with cyber crooks buying and selling services and devices aimed at taking advantage of them. Trend Micro's senior threat researchers Lion Gu has been scouring forums, online shops and QQ chats to give us a sense of what is actually going on on this burgeoning mobile underground. Mobile apps that stealthily subscribe users to premium services are, naturally, very popular with cyber crooks in China as in the rest of the world. Premium service numbers can also be bought on underground markets. Network carriers usually assign premium service numbers to qualified service providers, but obviously some of them are not [averse to] selling them on to criminals."

Apple Refuses To Unlock Bequeathed iPad

samzenpus posted about 5 months ago | from the cooperation-in-3-2-1 dept.

Security 465

mrspoonsi writes "A man whose mother bequeathed her iPad to her family in her will says Apple's security rules are too restrictive. Since her death, they have been unable to unlock the device, despite providing Apple with copies of her will, death certificate and solicitor's letter. After her death, they discovered they did not know her Apple ID and password, but were asked to provide written consent for the device to be unlocked. Mr Grant said: 'We obviously couldn't get written permission because mum had died. So my brother has been back and forth with Apple, they're asking for some kind of proof that he can have the iPad. We've provided the death certificate, will and solicitor's letter but it wasn't enough. They've now asked for a court order to prove that mum was the owner of the iPad and the iTunes account.'"

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Unknown Lamer posted about 5 months ago | from the padlock-icon-says-I'm-good-right dept.

Security 572

New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.

In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.

My question: How common is it for employers to perform MITM attacks on their own employees?"

Microsoft's Attempt To Convert Users From Windows XP Backfires

Unknown Lamer posted about 5 months ago | from the get-your-free-upgrade-to-ubuntu dept.

Upgrades 860

MojoKid writes "Microsoft has been loudly and insistently banging a drum: All support and service for Windows XP and Office 2003 shuts down on April 8. In early February, faced with a slight uptick in users on the decrepit operating system the month before, Microsoft hit on an idea: Why not recruit tech-savvy friends and family to tell old holdouts to get off XP? The response ... was a torrent of abuse from Windows 8 users who aren't exactly thrilled with the operating system. Microsoft has come under serious fire for some significant missteps in this process, including a total lack of actual upgrade options. What Microsoft calls an upgrade involves completely wiping the PC and reinstalling a fresh OS copy on it — or ideally, buying a new device. Microsoft has misjudged how strong its relationship is with consumers and failed to acknowledge its own shortcomings. Not providing an upgrade utility is one example — but so is the general lack of attractive upgrade prices or even the most basic understanding of why users haven't upgraded. Microsoft's right to kill XP is unquestioned, but the company appears to have no insight into why its customers continue to use the OS. "

F-Secure: Android Accounted For 97% of All Mobile Malware In 2013

Soulskill posted about 5 months ago | from the going-for-the-high-score dept.

Android 193

An anonymous reader writes "Back in 2012, Android accounted for 79 percent of all mobile malware. Last year, that number ballooned even further to 97 percent. Both those data points come from security firm F-Secure, which today released its 40-page Threat Report for the second half of 2013. More specifically, Android malware rose from 238 threats in 2012 to 804 new families and variants in 2013. Apart from Symbian, F-Secure found no new threats for other mobile platforms last year."

The New PHP

Soulskill posted about 5 months ago | from the less-filling-tastes-great dept.

PHP 254

An anonymous reader writes "This article at O'Reilly Programming suggests that PHP, a language known as much for its weaknesses as its strengths, has made steady progress over the past few years in fixing its problems. From the article: 'A few years ago, PHP had several large frameworks (e.g. CakePHP, CodeIgniter, and so on). Each framework was an island and provided its own implementation of features commonly found in other frameworks. Unfortunately, these insular implementations were likely not compatible with each other and forced developers to lock themselves in with a specific framework for a given project. Today the story is different. The new PHP community uses package management and component libraries to mix and match the best available tools. ... There are also exciting things happening with PHP under the hood, too. The PHP Zend Engine recently introduced memory usage optimizations. The memory usage in PHP 5.5 is far less than earlier versions.'"

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

Soulskill posted about 5 months ago | from the feeling-secure-is-the-biggest-bug dept.

Security 231

New submitter williamyf writes "According to this article at Ars Technica, '[A] bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.' The coding error may have been present since 2005."

Australian Company Claims Laser-Based Quantum Crypto is "Unbreakable" (Video)

Roblimo posted about 5 months ago | from the when-you-positively-absolutely-need-to-keep-your-crypto-key-to-yourself dept.

Security 84

The QuintessenceLabs website doesn't mince words when it comes to self-promotion. It boasts that they are "The world’s first company to harness the quantum properties of lasers to herald a new generation of data security." InvestCanberra says, "the defense and security policy and procurement centre of Australia is the natural location for large conglomerate defense and security corporations and specialist cyber security, advanced communications and radar, ICT and surveillance businesses alike," and goes on to list QuintessenceLabs as one of several "locally headquartered companies that have grown into internationally successful organizations."

Here's another statement taken from the company's website: "QuintessenceLabs is the first in the world to exploit a new generation of quantum cryptographic technology which enables unbreakable, secure storage and communication of sensitive information through the generation of an ultra-secure cryptographic key." Unbreakable? That's a strong boast. Is it true? And even if it's only partly true, your upper management may call on you to explain (and possibly implement) laser-based quantum security, so you need to know what it is and how it works -- and whether it's something your company (or your client companies) need.

In Ukraine, Cyber War With Russia Heating Up

timothy posted about 5 months ago | from the nothing-good-will-come-of-this dept.

Security 256

concertina226 writes "If you think the crisis in the Ukraine is limited just to being just on the ground, think again. A cyberwar is flaring up between Ukraine and Russia and it looks like just the beginning. On Friday, communication centers were hijacked by unknown men to install wireless equipment for monitoring the mobile phones of Ukraine parliament members. Since then, Ukrainian hackers have been defacing Russian news websites, while Russia's Roskomnadzor is blocking any IP addresses or groups on social media from showing pro-Ukraine 'extremist' content." Adds reader Daniel_Stuckey: "On the other side of the border, RT — the news channel formerly known as Russia Today and funded by the state — had its website hacked on Sunday morning, with the word 'Nazi' not-so-stealthily slipped into headlines. Highlights included 'Russian senators vote to use stabilizing Nazi forces on Ukrainian territory,' and 'Putin: Nazi citizens, troops threatened in Ukraine, need armed forces' protection.' RT was quick to notice the hack, and the wordplay only lasted about 20 minutes." Finally, as noted by judgecorp, "The Ukrainian security service has claimed that Russian forces in Crimea are attacking Ukraine's mobile networks and politicians' phones in particular. Meanwhile, pro-Russian hackers have defaced Ukrainian news sites, posting a list of forty web destinations where content has been replaced. The pro-Russians have demonstrated Godwin's Rule — their animated GIF equates the rest of Ukraine to Nazis."

New Attack Hijacks DNS Traffic From 300,000 Routers

Unknown Lamer posted about 5 months ago | from the something-had-to-replace-windows dept.

Security 105

nk497 writes "Florida-based security firm Team Cymru said it was examining a widespread compromise"of 300,000 consumer and small office/home office (SOHO) routers in Europe and Asia. The DNS server settings were changed to a pair of IP addresses, which correspond to Dutch machines that are registered to a company that lists its address in central London. The attack highlights the flaws in router firmware, the researchers said. 'It's not new as an issue to the InfoSec community but this is one of the biggest we've seen recently as it's quite insidious,' Cymru's Steve Santorelli said, adding the hack could let the attackers conduct man in the middle attacks, impersonating your bank, for example."

Book Review: Threat Modeling: Designing For Security

samzenpus posted about 5 months ago | from the read-all-about-it dept.

Books 32

benrothke writes "When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented 'little practical information' to the public. While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts." Read below for the rest of Ben's review.

Russians Suspected of Uroburos Spy Malware

samzenpus posted about 5 months ago | from the from-russia-with-love dept.

Security 137

judgecorp writes "While Russia's political activity is center stage, its cyber-espionage apparently continues. Russian intelligence is strongly suspected of being behind the Uroburos malware which is targeting Western governments and commercial organizations. There are Russian-language strings in the code, and it searches its victims' systems for Agent BTZ, malware used in previous attacks believed to have been carried out by Russia."

Cisco Offers $300,000 Prize For Internet of Things Security Apps

samzenpus posted about 5 months ago | from the pay-me dept.

Security 62

alphadogg writes "Cisco today kicked off a contest with $300,000 in prize money that challenges security experts around the world to put together ways to secure what's now called the 'Internet of Things,' the wide range of non-traditional computing devices used on the electric grid, in healthcare and many other industries. A Cisco SVP concluded his keynote at this week's RSA Conference by announcing what he called the 'Internet of Things Security Grand Challenge.' Christopher Young said the idea is 'a contest of experts around the world to submit blueprints' for how security issues created by the Internet of Things could be addressed. It's expected that up to six winning entries would be selected and the prize money awarded at the Internet of Things Forum in the fall."

Snowden's NSA Leaks Gave IETF a Needed Security Wake-up Call

Soulskill posted about 5 months ago | from the don't-hit-the-snooze-button dept.

The Internet 52

alphadogg writes "Security and how to protect users from pervasive monitoring will dominate the proceedings when members of Internet Engineering Task Force meet in London starting Sunday. For an organization that develops the standards we all depend on for the Internet to work, the continued revelations made by NSA whistleblower Edward Snowden have had wide-ranging repercussions. 'It wasn't a surprise that some activities like this are going on. I think that the scale and some of the tactics surprised the community a little bit. ... You could also argue that maybe we needed the wake-up call,' said IETF Chairman Jari Arkko. Part of that work will also be to make security features easier to use and for the standards organization to think of security from day one when developing new protocols."

Using Google Maps To Intercept FBI and Secret Service Calls

Soulskill posted about 5 months ago | from the enjoy-your-stay-on-government-watchlists dept.

Google 137

An anonymous reader sends in a story about a network engineer named Bryan Seely, who was tired of seeing fake listings and spam on Google Maps. He contacted the company and tried to convince them to fix their system, but didn't have much luck. Afterward, he thought of an effective demonstration. He put up fake listings for the FBI and the Secret Service with phone numbers that sent the calls to him. When people called, he forwarded them to the actual agencies while he listened in. After recording a couple of calls for proof, he went to a local Secret Service office to explain the problem: "After that, Seely says, he got patted down, read his Miranda rights, and put in an interrogation room. Email correspondence with the Secret Service indicates that the special agent in charge called him a 'hero' for bringing this major security flaw to light. They let him go after a few hours. Seely says the fake federal listings, which were both ranked second every time I checked Google Maps, were up for four days. He took them down himself when the Secret Service asked."

Live Q&A With Ex-TSA Agent Jason Harrington

samzenpus posted about 5 months ago | from the straight-from-the-agents-mouth dept.

Security 141

Jason Harrington (@Jas0nHarringt0n) is a controversial blogger, frequent contributor to McSweeney's Internet Tendency, and one of the TSA's least favorite ex-employees. His descriptions of life on the job as a TSA agent caused some big waves and restarted a national discussion on security theater. Jason will be answering your questions below for the next couple of hours, or until the security line starts moving again. Please keep it to one question per post so everyone gets a chance. Update: 03/01 02:11 GMT by S : Jason has finished up for now — you can skip to his answers at his user page, or simply browse the comments to read everything. Thanks Jason for answering our questions!

Spooks-as-a-Service Swarm RSA Conference

samzenpus posted about 5 months ago | from the if-you-can't-beat-them dept.

Security 38

itwbennett writes "As the list of victims of sophisticated cyber attacks expands, so does the need for specialized, high-priced, and hard-to-find talent to help investigate and recover from those attacks. The latest solution: hosted services offering access to cyber intelligence and incident response. 'At the RSA Security Conference this week, companies large and small are trumpeting the spy agency connections of senior staff as never before,' writes Paul Roberts. 'These new offerings — think of them as spooks-as-a-service — typically combine some degree of network and endpoint monitoring with a cloud-based management platform to gather and analyze data against data aggregated from other customers and third-party threat intelligence.'"

Intel's New Desktop SSD Is an Overclocked Server Drive

samzenpus posted about 5 months ago | from the new-kid-in-class dept.

Data Storage 111

crookedvulture writes "Most of Intel's recent desktop SSDs have followed a familiar formula. Combine off-the-shelf controller with next-gen NAND and firmware tweaks. Rinse. Repeat. The new 730 Series is different, though. It's based on Intel's latest datacenter SSD, which combines a proprietary controller with high-endurance NAND. In the 730 Series, these chips are clocked much higher than their usual speeds. The drive is fully validated to run at the boosted frequencies, and it's rated to endure at least 70GB of writes per day over five years. As one might expect, though, this hot-clocked server SSD is rather pricey for a desktop model. It's slated to sell for around $1/GB, which is close to double the cost of more affordable options. And the 730 Series isn't always faster than its cheaper competition. Although the drive boasts exceptional throughput with random I/O, its sequential transfer rates are nothing special."

Why We Need To Teach Hacking In High School

Unknown Lamer posted about 5 months ago | from the rms-teaches-programming dept.

Education 124

An anonymous reader writes "Following one of the best descriptions ever of a hacker I've ever seen, Pete Herzog, creator of the 'security testing' (professional hacking) manual OSSTMM outlines compelling reasons why the traits of the hacker should be taught in school to make better students and better people. It starts out with 'Whatever you may have heard about hackers, the truth is they do something really, really well: discover.' and it covers open education, teaching kids to think for themselves, and promoting hacking as a tool for progress." A good read, despite confusing hacker and hacker a bit. I remember getting to set up Debian on a scrap machine in high school, only to have county IT kill the project because of the horrible danger experimentation could have proven to the network...

Sundar Pichai: Android Designed For Openness; Security a Lower Priority

timothy posted about 5 months ago | from the not-that-they-must-contradict dept.

Security 117

An anonymous reader writes "Earlier this week, Google Android chief Sundar Pichai spoke at the Mobile World Congress where he explained, rather bluntly, that Android is designed to be open more so than it's designed to be safe. He also added that if he were a hacker today, he too would focus most of his efforts on Android on account of its marketshare position." Related: wiredmikey writes "Boeing is launching 'Boeing Black phone,' a self-destructing Android-based smartphone that the company says has no serviceable parts, and any attempted servicing or replacing of parts would destroy the product. 'Any attempt to break open the casing of the device would trigger functions that would delete the data and software contained within the device and make the device inoperable,' the company explained. ... The device should not be confused with the new encrypted Blackphone, developed by the U.S. secure communications firm Silent Circle with Spanish manufacturer Geeksphone."

Apple Drops Snow Leopard Security Updates, Doesn't Tell Anyone

timothy posted about 5 months ago | from the they'll-figure-it-out-soon-enough dept.

OS X 241

Freshly Exhumed writes "As Apple issued an update for Mavericks, Mountain Lion, and Lion yesterday, Snow Leopard users have not seen a security update since September, 2013. This would not be noteworthy if Apple, like a host of other major software vendors, would clearly spell out its OS support policies and warn users of such changes, but they have not. Thus, the approximately 20% of Mac users still running Snow Leopard now find themselves in a very vulnerable state without the latest security updates."

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...