Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Remote ATM Attack Uses SMS To Dispense Cash

timothy posted about 7 months ago | from the $$$-rofl-omg-$$$ dept.

Security 150

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

Big Data Breaches Give Credit Monitoring Services a Boost

timothy posted about 7 months ago | from the glaziers-love-broken-windows dept.

The Almighty Buck 48

Hugh Pickens DOT Com (2995471) writes "As attacks like the one on Target have exposed up to 40 million customer payment card accounts and the names, addresses and email addresses of as many as 70 million shoppers, Tiffany Hsu and E. Scott Reckard report in the LA Times that increased activity by data hackers has produced millions of victims but there has been one big winner: credit monitoring businesses. "It's almost a terrible thing to say, but these kinds of situations raise awareness of the need to protect yourself and to be more vigilant in checking your transactions," says Yaron Samid. Meanwhile services with names such as BillGuard and Identity Guard report a surge in sign-ups from people anxious to be protected. For example, the number of AAA Southern California members opting in for the club's identity theft monitoring service — whether for free or for an extra charge — boomed in January, up 58% from December." (More below.)

Microsoft Word Zero-Day Used In Targeted Attacks

Unknown Lamer posted about 7 months ago | from the upgrade-your-word-processor dept.

Microsoft 88

wiredmikey (1824622) writes "Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word 2010 that is being actively exploited in targeted attacks. If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges. 'The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,' Microsoft explained Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft."

Ask Slashdot: Moving From Tech Support To Development?

timothy posted about 7 months ago | from the which-flavor-of-ice-cream? dept.

Programming 133

An anonymous reader writes "My eastern European tech-support job will be outsourced in 6 months to a nearby country. I do not wish to move, having relationship and roots here, and as such I stand at a crossroads. I could take my current hobby more seriously and focus on Java development. I have no degree, no professional experience in the field, and as such, I do not hold much market value for an employer. However, I find joy in the creative problem solving that programming provides. Seeing the cogs finally turn after hours invested gives me pleasures my mundane work could never do. The second option is Linux system administration with a specialization in VMware virtualisation. I have no certificates, but I have been around enterprise environments (with limited support of VMware) for 21 months now, so at the end of my contract with 27 months under my belt, I could convince a company to hire me based on willingness to learn and improve. All the literature is freely available, and I've been playing with VDIs in Debian already.

My situation is as follows: all living expenses except food, luxuries and entertainment is covered by the wage of my girlfriend. That would leave me in a situation where we would be financially alright, but not well off, if I were to earn significantly less than I do now. I am convinced that I would be able to make it in system administration, however, that is not my passion. I am at an age where children are not a concern, and risks seem to be, at first sight, easier to take. I would like to hear the opinion and experience of fellow readers who might have been in a similar situation."

One Billion Android Devices Open To Privilege Escalation

timothy posted about 7 months ago | from the that's-beeeeeellion dept.

Android 117

msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.

The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said."
Handily enough, the original paper is not paywalled.

Fake PGP Keys For Crypto Developers Found

timothy posted about 7 months ago | from the who-you-say-you-are dept.

Encryption 110

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases, these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures [attached to] her key, [the respondent] couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."

WPA2 Wireless Security Crackable WIth "Relative Ease"

timothy posted about 7 months ago | from the relatively-absolute dept.

Wireless Networking 150

An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2 in order to bolster its security or to develop alternative protocols to keep our wireless networks safe from hackers and malware."

Docker Turns 1: What's the Future For Open Source Container Tech?

timothy posted about 7 months ago | from the within-and-beneath-additional-layers dept.

Software 65

darthcamaro (735685) writes "Docker has become one of the most hyped open-source projects in recent years, making it hard to believe the project only started one year ago. In that one year, Docker has now gained the support of Red Hat and other major Linux vendors. What does the future hold for Docker? Will it overtake other forms of virtualization or will it just be a curiosity?"

More On the Disposable Tech Worker

Soulskill posted about 7 months ago | from the always-recycle-them-when-you're-finished-using-them dept.

Businesses 323

Jim_Austin writes "At a press conference this week, in response to a question by a Science Careers reporter, Scott Corley, the Executive Director of immigration-reform group Compete America, argued that retraining workers doesn't make sense for IT companies. For the company, he argued, H-1B guest workers are a much better choice. 'It's not easy to retrain people,' Corley said. 'The further you get away from your education the less knowledge you have of the new technologies, and technology is always moving forward.'"

Speedy Attack Targets Web Servers With Outdated Linux Kernels

Soulskill posted about 7 months ago | from the update-your-junk dept.

Security 93

alphadogg writes "Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, according to Cisco Systems. All the affected servers were running the 2.6 version, first released in December 2003. 'When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied,' Cisco said. After the Web server has been compromised, the attackers slip in a line of JavaScript to other JavaScript files within the website. That code bounces the website's visitors to a second compromised host. 'The two-stage process allows attackers to serve up a variety of malicious content to the visitor,' according to Cisco."

Linux May Succeed Windows XP As OS of Choice For ATMs

Soulskill posted about 7 months ago | from the cash-from-a-penguin dept.

Linux Business 367

Dega704 sends this news from ComputerWorld: "Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles. Pushing them in that direction apparently is Microsoft's decision to end support for Windows XP on April 8, said David Tente, executive director, USA, of the ATM Industry Association. 'There is some heartburn in the industry' over Microsoft's end-of-support decision, Tente said. ATM operators would like to be able to synchronize their hardware and software upgrade cycles. But that's hard to do with Microsoft dictating the software upgrade timetable. As a result, 'some are looking at the possibility of using a non-Microsoft operating system to synch up their hardware and software upgrades,' Tente said."

Inside NSA's Efforts To Hunt Sysadmins

Soulskill posted about 7 months ago | from the most-sedentary-sport dept.

IT 147

An anonymous reader writes "The Snowden revelations continue, with The Intercept releasing an NSA document titled 'I hunt sys admins' (PDF on Cryptome). The document details NSA plans to break into systems administrators' computers in order to gain access to the networks they control. The Intercept has a detailed analysis of the leaked document. Quoting: 'The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. "Who better to target than the person that already has the ‘keys to the kingdom’?" one of the posts says.'"

Working with Real-Time Analytics as a Service (Video)

Roblimo posted about 7 months ago | from the knowledge-you-might-need-someday-even-if-you-don't-need-it-now dept.

Stats 15

This is wide-ranging interview with Dev Patel and Poulomi Damany of BitYota, an Analytics as a Service startup that works specifically with MongoDB. Open Source? Not yet. But hopefully soon, they say. And why should an IT person or programmer care about marketing-oriented analytics? Because the more you know about functions in your company besides IT (such as finance, investor relations, and -- yes -- marketing), the more valuable you are as an employee. Dev also mentions the two main things he looks for when recruiting for BitYota: "One is intellect, and the other is attitude." He points out that this is not true merely of BitYota, but of any strong startup. This is all good information for any job-seeker hoping to land a spot with a startup -- and for anyone who is happy with where he or she works but hopes to earn promotions and raises, too.

Tor Project: Fake Tor App Has Been In Apple's App Store For Months

Unknown Lamer posted about 7 months ago | from the well-he-paid-his-developer-fees-so-... dept.

Iphone 78

itwbennett (1594911) writes "For the past several months Tor developers have unsuccessfully been trying to convince Apple to remove from its iOS App Store what they believe to be a fake and potentially malicious Tor Browser application. According to subsequent messages on the bug tracker, a complaint was filed with Apple on Dec. 26 with Apple reportedly responding on Jan. 3 saying it would give a chance to the app's developer to defend it. More than two months later, the Tor Browser app created by a developer named Ronen is available still in the App Store. The issue came into the public spotlight Wednesday when people involved in the Tor Project took to Twitter to make their concerns heard. Apple did not respond to IDG News Service's request for comment."

Gmail Goes HTTPS Only For All Connections

Unknown Lamer posted about 7 months ago | from the nsa-already-has-the-private-key dept.

Google 141

Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions." GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.

Bitcoin's Software Gets Security Fixes, New Features

Unknown Lamer posted about 7 months ago | from the don't-modify-that-transaction dept.

Bitcoin 173

itwbennett (1594911) writes "The software driving Bitcoin's network was upgraded Wednesday, with security fixes addressing a problem that defunct bitcoin exchange Mt. Gox blamed for losing nearly half a billion dollars worth of bitcoins. The latest version of bitcoin's software, 0.9.0, contains more than a half dozen fixes for transaction malleability, according to the release notes for the software. Bitcoin Core also contains a new feature for payment requests. Previously, merchants couldn't attach a note describing an invoice, and people also could not supply a refund address to a merchant. The latest version automatically supplies a refund address." This wouldn't have prevented the Mt. Gox implosion since they weren't using the reference implementation. The foundation also renamed the software to "Bitcoin Core" to avoid confusion between Bitcoin-the-network and Bitcoin-the-reference-implementation,

UK To Create Alan Turing Institute

samzenpus posted about 7 months ago | from the brand-new dept.

United Kingdom 62

kc123 writes "The UK government has announced plans to create the Alan Turing Institute intended to tackle problems in Big Data. The government will provide £42m over five years for the project. Turing was a pivotal figure in mathematics and computing. His codebreaking work led to the cracking of the German 'Enigma' codes. In December 2013, after a series of public campaigns, Turing received a posthumous royal pardon, for a conviction of homosexual activity in 1952."

Security Industry Incapable of Finding Firmware Attackers

Unknown Lamer posted about 7 months ago | from the just-use-coreboot dept.

Security 94

New submitter BIOS4breakfast writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is: when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"

Full-Disclosure Security List Suspended Indefinitely

Unknown Lamer posted about 7 months ago | from the poking-the-hornet's-nest-for-12-years dept.

Censorship 162

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing."
The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.

Malware Attack Infected 25,000 Linux/UNIX Servers

Soulskill posted about 7 months ago | from the sudo-configure-your-stuff-properly dept.

Security 220

wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."

A Call For Rollbacks To Previous Versions of Software

timothy posted about 7 months ago | from the forced-upgrades-are-a-pox-on-the-world dept.

Software 199

colinneagle writes "In a blog post, Andy Patrizio laments the trend — made more common in the mobile world — of companies pushing software updates ahead without the ability to roll back to previous versions in the event that the user simply doesn't like it. iOS 7.1, for example, has reportedly been killing some users' battery power, and users of the iTunes library app TuneUp will remember how the much-maligned version 3.0 effectively killed the company behind it (new owners have since taken over TuneUp and plans to bring back the older version).

The ability to undo a problematic install should be mandatory, but in too many instances it is not. That's because software developers are always operating under the assumption that the latest version is the greatest version, when it may not be. This is especially true in the smartphone and tablet world. There is no rollback to be had for anything in the iOS and Android worlds. Until the day comes when software developers start releasing perfectly functioning, error-free code, we need the ability to go backwards with all software."

Camera Module Problems May Delay Samsung's Galaxy S5

timothy posted about 7 months ago | from the tiny-little-pieces dept.

Bug 70

concertina226 writes "There's less than a month to go before Samsung launches its new flagship Galaxy S5 smartphone worldwide on 11 April, and the new device has still not gone into mass production due to camera module manufacturing problems. The 16 megapixel camera module consists of six plastic pieces, one more piece than in the existing 13 megapixel camera modules in the Galaxy S4. The problem that Samsung is having is that even though the number of plastic pieces has gone up, the thickness of each piece has remained the same, so in order to fit the new camera module into the Galaxy S5, the lens makers will likely have to develop new technology to make thinner lenses. Not only that, joining six pieces together instead of five for the 13 megapixel camera modules increases the risk of optical faults surfacing at the lens manufacturers' plants dramatically."

Is Analog the Fix For Cyber Terrorism?

Unknown Lamer posted about 7 months ago | from the security-through-obsolescence dept.

Security 245

chicksdaddy writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls 'analog hard stops' to cyber attacks. Langner cautions against the wholesale embrace of digital systems by stating the obvious: that 'every digital system has a vulnerability,' and that it's nearly impossible to rule out the possibility that potentially harmful vulnerabilities won't be discovered during the design and testing phase of a digital ICS product. ... For example, many nuclear power plants still rely on what is considered 'outdated' analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests."
Or maybe you could isolate control systems from the Internet.

Kaspersky: Mt. Gox Data Archive Contains Bitcoin-Stealing Malware

Unknown Lamer posted about 7 months ago | from the trusting-random-zip-files-considered-harmful dept.

Security 169

itwbennett writes "An archive containing transaction records from Mt. Gox that was released on the Internet last week also contains bitcoin-stealing malware for Windows and Mac, say researchers at Kaspersky Lab who have analyzed the 620MB file called MtGox2014Leak.zip. The files masquerade as Windows and Mac versions of a custom, back-office application for accessing the transaction database of Mt. Gox. However, they are actually malware programs designed to search and steal Bitcoin wallet files from computers, Kaspersky security researcher Sergey Lozhkin said Friday in a blog post."

Aussie Attorney General's War On Encrypted Web Services

samzenpus posted about 7 months ago | from the no-code-for-you dept.

Encryption 151

Bismillah writes "If Attorney-General Brandis gets his way in the process of revising Australia's Telecommunications Interception Act, users and providers of VPNs and other encrypted services will by law be required to decrypt government intercepted data. Because, 'sophisticated criminals and terrorists.' New Zealand already has a similar law, the Telecommunications Interception and Computer Security Act. Apparently, large Internet service providers such as Microsoft and Facebook won't be exempt from the TICSA and must facilitate interception of traffic."

Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014

Soulskill posted about 7 months ago | from the foxes-provide-the-best-sport dept.

Firefox 207

darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."

Ask Slashdot: Best Management Interface On an IT Appliance?

timothy posted about 8 months ago | from the one-you-never-need dept.

GUI 114

tippen writes "The management user interface on most networking and storage appliances are, shall we say, not up to the snuff compared to modern websites or consumer products. What are the best examples of good UX design on an IT appliance that you've managed? What was it that made you love it? What should companies (or designers) developing new products look to as best-in-class that they should be striving for?"

How Data Storage Has Grown In the Past 60 Years

timothy posted about 8 months ago | from the megaleaps-and-gigabounds dept.

Data Storage 100

Lucas123 writes "Imagine that in 1952, an IBM RAMAC 350 disk drive would have been able to hold only one .MP3 song. Today, a 4TB 3.5-in desktop drive (soon to be 5TB) can hold 760,000 songs. As much data as the digital age creates (2.16 Zettabytes and growing), data storage technology has always found a way to keep up. It is the fastest growing semiconductor technology there is. Consider a microSD card that in 2005 could store 128MB of capacity. Last month, SanDisk launched a 128GB microSD card — 1,000 times the storage in under a decade. While planar NAND flash is running up against a capacity wall, technology such as 3D NAND and Resistive Random Access Memory (RRAM) hold the promise of quadrupling of solid state capacity. Here are some photos of what was and what is in data storage."

U.S. Aims To Give Up Control Over Internet Administration

timothy posted about 8 months ago | from the at-long-last dept.

The Internet 279

schwit1 writes with this excerpt from the Washington Post: "U.S. officials announced plans Friday to relinquish federal government control over the administration of the Internet, a move likely to please international critics but alarm some business leaders and others who rely on smooth functioning of the Web.

Pressure to let go of the final vestiges of U.S. authority over the system of Web addresses and domain names that organize the Internet has been building for more than a decade and was supercharged by the backlash to revelations about National Security Agency surveillance last year."
Reader Midnight_Falcon points out this press release on the move from Commerce Department’s National Telecommunications and Information Administration.

Target Ignored Signs of Data Breach

Soulskill posted about 8 months ago | from the making-themselves-quite-a-target dept.

Security 95

puddingebola writes "Target ignored indications from its threat-detection tools that malware had infected its network. From the article, 'Unusually for a retailer, Target was even running its own security operations center in Minneapolis, according to a report published Thursday by Bloomberg Businessweek. Among its security defenses, following a months-long testing period and May 2013 implementation, was software from attack-detection firm FireEye, which caught the initial November 30 infection of Target's payment system by malware. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.' Unfortunately, it appears Target's security team failed to act on the threat indicators."

Weak Apple PRNG Threatens iOS Exploit Mitigations

Soulskill posted about 8 months ago | from the also-makes-you-lose-at-poker dept.

Encryption 143

Trailrunner7 writes "A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS. 'The Early Random PRNG in iOS 7 is surprisingly weak,' said Tarjei Mandt senior security researcher at Azimuth Security. 'The one in iOS 6 is better because this one is deterministic and trivial to brute force.' The Early Random PRNG is important to securing the mitigations used by the iOS kernel. 'All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,' Mandt said. 'It must provide sufficient entropy and non-predictable output.'"

A Look at the NSA's Most Powerful Internet Attack Tool

samzenpus posted about 8 months ago | from the big-gun dept.

United States 154

realized writes in with a closer look at the NSA's QUANTUM system. "Today QUANTUM packs a suite of attack tools, including both DNS injection (upgrading the man-on-the-side to a man-in-the-middle, allowing bogus certificates and similar routines to break SSL) and HTTP injection. That reasonable enough. But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party's database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.) And it allows the NSA to hijack both IRC and HTTP-based criminal botnets, and also includes routines which use packet-injection to create phantom servers, and even attempting (poorly) to use this for defense."

What If the Next Presidential Limo Was a Tesla?

timothy posted about 8 months ago | from the anything-that'll-turn-into-a-pumpkin-please dept.

Government 330

cartechboy writes "The presidential limo is known as "The Beast," and it's getting to be about that time where it's replaced. Currently The Beast is a General Motors creation with a Cadillac badge, but what if the next presidential limo was a Tesla? Stick with me here. The Beast is a massive vehicle, which means there would be plenty of room in the structure to have a long battery pack a la Model S. Plus, it could use the upcoming Model X's all-wheel-drive system. Tesla's air suspension would keep it from encountering high-centering issues. There could even be a charging port on both the front and back so a battery truck could hook up while driving, like in-flight refueling. Obviously the battery pack would need to have extra protection so it wouldn't have any issues with road debris, but that's a minor issue. Tesla is an American company, and that's a requirement for The Beast. So is it that far fetched to think the next presidential limo could be a Tesla?"

1GB of Google Drive Storage Now Costs Only $0.02 Per Month

timothy posted about 8 months ago | from the even-I-can-do-that-math dept.

Google 335

SmartAboutThings writes "Up until today, I always had the impression that cloud storage was pretty expensive and I'm sure that many will agree with me. It's a good thing that some bright minds over at Google have the same impressions as they now have drastically discounted the monthly storage plans on Google Drive. The new monthly storage plans and their previous prices are as follows: $1.99 for 100GB (previously $4.99), $9.99 for 1TB (previously $49.99), and $99.99 for 10TB.The 2 dollar plan per month means that the price for a gigabyte gets down to an incredibly low price of only two cents per month."

TrustyCon was the 'Rebel Conference' Across the Street From RSA 2014 (Video)

Roblimo posted about 8 months ago | from the the-most-interesting-people-are-often-in-the-rebel-groups dept.

Security 20

RSA holds big-time annual security conferences. The 2014 U.S. edition had 25,000 attendees, Stephen Colbert as the closing keynote speaker, and a major controversy (and some anger) from potential speakers and attendees over RSA's reputed $10 million contract with NSA to make sure the company's encryption software had back doors the secretive agency could use to spy on people and companies that use RSA software. This is part of a story that might be called The Snowden Revelations if it is made into a movie, but right now it's still controversial, and enough of a bombshell in the IT security industry that F-Secure's Mikko Hyppönen decided not to speak at this year's U.S. RSA conference, followed by Bruce Schneier, DEFCON founder Jeff Moss, Princeton professor Ed Felten, and other security luminaries.

And so, TrustyCon -- the Trustworthy Technology Conference -- was born. It was a sellout, with 400 people attending at $50 a head, and another 300 on a waiting list who couldn't get in. Slashdot's Tim Lord managed to get in, and got to speak briefly with several people there, including one of the TrustyCon organizers, Joel Wallenstrom. These were crude interviews, done on a "catch as catch can" basis, and the sound in them is poor. (Google sent a camera crew and shot over seven hours of the conference speakers, which you can watch on YouTube if you want to view TrustyCon presentations in good HD with great sound.). Will there be another TrustyCon next year? According to The Register, "The conference organizers said that, at this point, the plan is to hold another get-together next year, but that a final decision will be made closer to the time."

Replicant Hackers Find and Close Samsung Galaxy Back-door

timothy posted about 8 months ago | from the in-their-spare-time dept.

Handhelds 81

gnujoshua writes "Paul Kocialkowski (PaulK), a developer for the Replicant project, a fully free/libre version of Android, wrote a guest blog post for the Free Software Foundation announcing that whlie hacking on the Samsung Galaxy, they "discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system." They then replaced the proprietary program with free software.

While it may be a while before we can have a 100% free software microcode/firmware on the the cellular hardware itself, isolating that hardware from the rest of your programming and data is a seemingly important step that we can take right now. At least to the FSF anyhow. What do others think: is a 100% free software mobile device important to you?"

Replicant OS Developers Find Backdoor In Samsung Galaxy Devices

Soulskill posted about 8 months ago | from the caught-out dept.

Android 126

An anonymous reader writes "Developers of the Free Software Foundation-endorsed Replicant OS have uncovered a backdoor through Android on Samsung Galaxy devices and the Nexus S. The research indicates the proprietary Android versions have a blob handling communication with the modem using Samsung's IPC protocol and in turn there's a set of commands that allow the modem to do remote I/O operations on the phone's storage. Replicant's open-source version of Android does away with the Samsung library to fend off the potential backdoor issue."

How the NSA Plans To Infect 'Millions' of Computers With Malware

Soulskill posted about 8 months ago | from the sudo-apt-get-install-nsa-malware dept.

Government 234

Advocatus Diaboli sends news from The Intercept about leaked documents which show that the NSA is significantly expanding its efforts to build an automated system to compromise computers remotely. From the article: "The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to 'allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.' In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the 'Expert System,' which is designed to operate 'like the brain.' The system manages the applications and functions of the implants and 'decides' what tools they need to best extract data from infected machines."

Large DDoS Attack Brings WordPress Pingback Abuse Back Into Spotlight

timothy posted about 8 months ago | from the pressure-cooker dept.

Security 58

angry tapir writes "Attackers have abused the WordPress pingback feature, which allows sites to cross-reference blog posts, to launch a large-scale, distributed denial-of-service (DDoS) attack, according to researchers from Web security firm Sucuri. The attack involved over 162,000 legitimate WordPress websites being forced to send hundreds of requests per second to a popular WordPress site, preventing access to it for many hours. The attack exploited an issue with the XML-RPC (XML remote procedure call) implementation in WordPress that's used for features like pingback, trackback, remote access from mobile devices and others, and brought back into the spotlight the denial-of-service risks associated with this functionality that have been known since 2007."

Top E-commerce Sites Fail To Protect Users From Stupid Passwords

timothy posted about 8 months ago | from the use-uno-dos-tres-instead dept.

Security 162

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

Unknown Lamer posted about 8 months ago | from the security-through-obscurity dept.

Security 66

msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."

University of Cambridge Develops Potentially More Secure Password Storage System

Unknown Lamer posted about 8 months ago | from the tpm-minus-bad-things dept.

Encryption 70

An anonymous reader writes "University of Cambridge's S-CRIB Scrambler resides in a Raspberry Pi and performs a hash-based message authentication code (HMAC). 'The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it's not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.' There are pros and cons associated with this method, of course, ranging from scalability to loss of access due to device hardware failure. As with all current options for password security, there's no guarantee that even this system remains secure."

SXSW: Edward Snowden Swipes At NSA

samzenpus posted about 8 months ago | from the I-stab-at-thee dept.

Privacy 116

Nerval's Lobster writes "In a Google Hangout with an auditorium full of South by Southwest attendees, government whistleblower (and former NSA employee) Edward Snowden suggested that encrypted communication should become more ubiquitous and easier to use for the majority of Internet denizens. 'The way we interact with [encrypted email and communications] is not good,' he said from somewhere within Russia, where he resides under the conditions of a one-year asylum. 'It needs to be out there, it needs to happen automatically, it needs to happen seamlessly.' For his part, Snowden still believes that companies should store user data that contributes directly to their respective business: 'It's not that you can't collect any data, you should only collect the data and hold it as long as necessary for the operation of the business.' He also couldn't resist some choice swipes at his former employer, accusing high-ranking intelligence officials Michael Hayden and Keith Alexander of harming the world's cyber-security—and by extension, United States national security—by emphasizing offensive operations over the defense of communications. 'America has more to lose than anyone else when every attack succeeds,' Snowden said. 'When you are the one country that has sort of a vault that's more full than anyone else's, it makes no sense to be attacking all day.'"

Author Says It's Time To Stop Glorifying Hackers

samzenpus posted about 8 months ago | from the no-praise-for-you dept.

Security 479

First time accepted submitter Geste writes "Diane McWhorter pleads in this NYT Op-Ed piece that it's time to stop glorifying hackers. Among other things she rails against providers' tendencies to 'blame the victim' with advice on improved password discipline. Interesting, but what lesson are we to learn from someone who emails lists of passwords to herself?"

US Intelligence Officials To Monitor Federal Employees With Security Clearances

samzenpus posted about 8 months ago | from the watching-the-watchers dept.

United States 186

First time accepted submitter Trachman writes in with news about a monitoring program designed to help stop future leaks of government documents. "U.S. intelligence officials are planning a sweeping system of electronic monitoring that would tap into government, financial and other databases to scan the behavior of many of the 5 million federal employees with secret clearances, current and former officials told The Associated Press. The system is intended to identify rogue agents, corrupt officials and leakers, and draws on a Defense Department model under development for more than a decade, according to officials and documents reviewed by the AP."

Eric Schmidt, Jared Cohen Say Google Data Now Protected From Gov't Spying

timothy posted about 8 months ago | from the now-how-to-effectively-test? dept.

Privacy 155

An anonymous reader writes "Google's Eric Schmidt and Jared Cohen were [part of a] wide-ranging session at SXSW today and they revealed that Google's data is now safely protected from the prying eyes of government organizations. In the last few days Google upgraded its security measure following revelations that Britain's GCHQ had intercepted data being transmitted between Google datacenters, Schmidt said that his company's upgrades following the incident left him 'pretty sure that information within Google is now safe from any government's prying eyes.'"

Portal 2 Incompatible With SELinux

timothy posted about 8 months ago | from the are-you-telling-us-the-whole-truth? dept.

Bug 212

jones_supa writes "Valve has recently released Portal 2 on Steam for Linux and opened a GitHub entry to gather all the bugs from the community. When one of the Valve developers closed a bug related to Portal 2 recommending that the users disable a security feature, the Linux community reacted. A crash is caused by the game's interaction with SELinux, the Linux kernel subsystem that deals with access control security policies. Portal 2 uses the third-party Miles Sound System MP3 decoder which, in turn, uses execheap, a feature that is normally disabled by SELinux. Like its name suggests, execheap allows a program to map a part of the memory so that it is both writable and executable. This could be a problem if someone chose to use that particular memory section for buffer overflow attacks; that would eventually permit the hacker to gain access to the system by running code. In the end, Valve developer David W. took responsibility of the problem: 'I apologize for the mis-communication: Some underlying infrastructure our games rely on is incompatible with SELinux. We are hoping to correct this. Of course closing this bug isn't appropriate and I am re-opening it.' This is more of an upstream problem for Valve. It's not something that they can fix directly, and most likely they will have to talk with the Miles developers and try to repair the problem from that direction."

The Tangled Tale of Mt. Gox's Missing Millions

timothy posted about 8 months ago | from the when-things-go-wrong dept.

Bitcoin 191

jfruh writes "What went wrong to produce the spectacular implosion of bitcoin repository Mt. Gox? Well, according to some preliminary investigation from the IDG News Service, pretty much everything. There was a lack of management oversight and 'culture,' the code running the site was a mess, and the CEO seemed more concerned about his plans for a 'Bitcoin cafe' than he was about his Japanese bank closing the company's account."

KDE Releases Calligra Suite 2.8

timothy posted about 8 months ago | from the consistently-impressive dept.

KDE 35

It's not just graphics app Krita: user KDE Community writes "The Calligra team is proud and pleased to announce the release of version 2.8 of the Calligra Suite, Calligra Active and the Calligra Office Engine. Major new features in this release are comments support in Author and Words, improved Pivot tables in Sheets, improved stability and the ability to open hyperlinks in Kexi. Flow introduces SVG based stencils and as usual there are many new features in Krita including touch screens support and a wraparound painting mode for the creation of textures and tiles." KDE has also just announced the first beta of its Applications and Platform 4.13.

Slashdot Login

Need an Account?

Forgot your password?