Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Evaluation of the Tesla Model S

Soulskill posted about 5 months ago | from the fob-it-off-on-somebody-else dept.

Transportation 93

An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."

oVirt 3.4 Means Management, VMs Can Live On the Same Machine

timothy posted about 5 months ago | from the right-there-in-the-open dept.

Virtualization 51

darthcamaro (735685) writes "Red Hat's open source oVirt project hit a major milestone this week with the release of version 3.4. It's got improved storage handling so users can mix and match different resource types, though the big new feature is one that seems painfully obvious. For the first time oVirt users can have the oVirt Manager and oVirt VMs on the same physical machine. 'So, typically, customers deployed the oVirt engine on a physical machine or on a virtual machine that wasn't managed or monitored,' Scott Herold, principal product manager for Red Hat Enterprise Virtualization said. 'The oVirt 3.4 release adds the ability for oVirt to self-host its engine, including monitoring and recovery of the virtual machine.'" (Wikipedia describes oVirt as "a free platform virtualization management web application community project.")

Ask Slashdot: How To Handle Unfixed Linux Accessibility Bugs?

timothy posted about 5 months ago | from the linux-on-the-desktop dept.

Bug 266

dotancohen (1015143) writes "It is commonly said that open source software is preferable because if you need something changed, you can change it yourself. Well, I am not an Xorg developer and I cannot maintain a separate Xorg fork. Xorg version 1.13.1 introduced a bug which breaks the "Sticky Keys" accessibility option. Thus, handicapped users who rely on the feature cannot use Xorg-based systems with the affected versions and are stuck on older software versions. Though all pre-bug Linux distros are soon scheduled for retirement, there seems to be no fix in sight. Should disabled users stick with outdated, vulnerable, and unsupported Linux distros or should we move to OS-X / Windows?

The prospect of changing my OS, applications, and practices due to such an ostensibly small issue is frightening. Note that we are not discussing 'I don't like change' but rather 'this unintentional change is incompatible with my physical disability.' Thus this is not a case of every change breaks someone's workflow."

FTC Settles With Sites Over SSL Lies

timothy posted about 5 months ago | from the like-fake-security-cameras dept.

Security 78

An anonymous reader writes "The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process. The settlements with the FTC don't include any monetary penalties, but both companies have been ordered to submit to independent security audits every other year for the next 20 years and to put together comprehensive security programs."

State-Sponsored Hacking Attacks Targeting Top News Organizations

Soulskill posted about 5 months ago | from the tip-of-the-iceberg dept.

Security 19

An anonymous reader writes "Security engineers from Google have found that 21 out of the top 25 news organizations have been targeted by cyberattacks that are likely state-sponsored. We've heard about some high profile attacks on news sites, but Google actively tracks the countries that are launching these attacks, and even hosts email services for many of the news organizations. 'Huntley said Chinese hackers recently gained access to a major Western news organization, which he declined to identify, via a fake questionnaire emailed to staff. Most such attacks involve carefully crafted emails carrying malware or directing users to a website crafted to trick them into giving up credentials. Marquis-Boire said that while such attacks were nothing new, their research showed that the number of attacks on media organizations and journalists that went unreported was significantly higher than those made public.'"

How the FBI and Secret Service Know Your Network Has Been Breached Before You Do

Soulskill posted about 5 months ago | from the they-care-before-it-impacts-your-bottom-line dept.

Security 72

coondoggie writes "By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement: the Secret Service and Federal Bureau of Investigation. But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance? The agencies do the one thing companies don't do. They attack the problem from the other end by looking for evidence that a crime has been committed. Agents go undercover in criminal forums where stolen payment cards, customer data and propriety information are sold. They monitor suspects and sometimes get court permission to break into password-protected enclaves where cyber-criminals lurk."

China Arrests 1,500 People For Sending Spam Messages From Fake Mobile Bases

samzenpus posted about 5 months ago | from the watch-what-you-text dept.

China 35

concertina226 (2447056) writes "Chinese authorities have detained a total of 1,530 suspects in a crackdown on spam SMS text messages being sent out by illegal telecoms equipment, according to Chinese news agency ECNS. Over 2,600 fake mobile base stations were seized and 24 sites manufacturing illegal telecoms equipment shut down as part of a massive nationwide operation involving nine central government and Communist Party of China departments. A report released by Trend Micro this month looked into the telecoms equipment black market in China (PDF) and found that cybercriminals routinely use either a GSM modem, an internet short message gateway and an SMS server to send out spam messages. On the underground market, SMS servers come in 'all-in-one' packages that include a laptop, a GSM mobile phone, an SMS server, an antenna to send out the fake signal and a USB cable, all for RMB 45,000 (£4,355)."

Ask Slashdot: Preparing For Windows XP EOL?

timothy posted about 5 months ago | from the stock-up-like-y2k dept.

Windows 423

An anonymous reader writes "As most of us working in IT may know, Microsoft will stop supporting Windows XP on April 8th, 2014. Although this fact has been known for quite some time, XP is still relatively popular in companies and also enjoys noticeable marketshare for home users. Even ATMs are running XP and will continue to do so for some time. A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions. So what is the best way to secure this remaining Windows XP systems? Installing the latest security patches, checking firewall status and user permissions etc. should be fairly obvious, as Microsoft Security Essentials may also not receive updates anymore, changing antivirus programs seems a sensible thing to do."

Russian Officials Dump iPads For Samsung Tablets Over Spy Fears

timothy posted about 5 months ago | from the putin-actually-invented-it dept.

Android 198

wiredmikey writes: "Russian government officials have swapped their iPads for Samsung tablets to ensure tighter security, the telecoms minister told news agencies on Wednesday. Journalists spotted that ministers at a cabinet meeting were no longer using Apple tablets, and minister Nikolai Nikiforov confirmed the changeover "took place not so long ago." He said the ministers' new Samsungs were "specially protected devices that can be used to work with confidential information." This isn't the first time Russian powers have had concerns over mobile. In August 2012, Russia unveiled a prototype tablet with its own "almost Android" mobile OS that has the remarkably familiar feel of an Android but with bolstered encryption. In an even more paranoid move, this past July a Russian state service in charge of safeguarding Kremlin communications was looking to purchase an array of old-fashioned typewriters to prevent leaks from computer hardware."

Weev's Attorney Says FBI Is Intercepting His Client's Mail

timothy posted about 5 months ago | from the men-in-the-middle-attack dept.

The Courts 109

Daniel_Stuckey (2647775) writes "The FBI is intercepting the prison correspondence of infamous Internet troll Andrew "weev" Auernheimer, including letters from his defense team, according to his attorney. 'He's sent me between 10 and 20 letters in the last month or two. I've received one,' Tor Ekeland, who had just returned from visiting Auernheimer at the federal corrections institute in Allenwood, PA., told the Daily Dot in a video interview.

Last March, Auernheimer was convicted of accessing a computer without authorization and sentenced to 41 months in prison. As a member of the computer security team Goatse Security, Auernheimer discovered a major security flaw in AT&T's network, which allowed him to download the email addresses of some 114,000 iPad users. Goatse Security reported the flaw to Gawker and provided journalists with the information, who then published it in redacted form."

Gameover Malware Targets Job Seekers

Soulskill posted about 5 months ago | from the game-over-man,-game-over dept.

Security 42

itwbennett writes: "A new variant of the Gameover computer Trojan is targeting job seekers and recruiters by attempting to steal log-in credentials for Monster.com and CareerBuilder.com accounts. Like the Zeus banking malware on which it is based, Gameover can steal log-in credentials and other sensitive information by injecting rogue Web forms into legitimate websites when accessed from infected computers. 'A computer infected with Gameover ZeuS will inject a new 'Sign In' button [into the Monster.com sign-in page], but the page looks otherwise identical,' security researchers from antivirus firm F-Secure said Tuesday in a blog post."

Security for the 'Internet of Things' (Video)

Roblimo posted about 5 months ago | from the my-kitchen-sink-has-been-hacked-and-is-spewing-hot-water-all-over-the-place dept.

Security 106

What happens when your oven is on the Internet? A malicious hacker might be able to set it to broil while you're on vacation, and get it so hot that it could start a fire. Or a prankster might set your alarm to wake you up at 3 a.m. - and what if someone gets access to the wireless security camera over your front door and uses it to gain access to the rest of your home network, and from there to your bank account? Not good. With the 'Internet of Things' you will have many devices to secure, not just a couple of computers and handheld devices. Timothy Lord met Mark Stanislav of Duo Security at BSides Austin 2014, which is where this interview took place.(Here's an alternate link to the video.)

Target and Trustwave Sued Over Credit Card Breach

Unknown Lamer posted about 5 months ago | from the kill-the-auditor dept.

Security 87

jfruh (300774) writes "Security vendors like Trustwave can make big bucks when major companies decide they don't have the internal resources to handle their cybersecurity needs. Unfortunately, when taking on security chores, you also take on security liabilities. In the wake of Target's massive credit card security breach, both Target and Trustwave are now on the receiving end of a class action lawsuit, in part backed by banks that had to issue thousands of new credit cards." The filing, and a bit more from El Reg: "It's against Target, however, that the most serious allegations are levelled. The class action led by Trustmark National Bank and Green Bank, say the retailer should not have allowed an outside contractor the access to its network that brought about the breach, and that it violated federal and state laws in storing the credit card data on its network."

Rebooting the Full Disclosure List

Unknown Lamer posted about 5 months ago | from the whack-a-mole dept.

Security 15

An anonymous reader writes with good news for advocates of Full Disclosure of security vulnerabilities. A week ago, the venerable full-disclosure list was shut down; now, a successor has arisen run by fyodor. From the announcement email: "As an F-D subscriber and occasional poster myself, I was as shocked as you all last week when John Cartwright threw in the towel and shuttered the list. Now I don't blame him one bit. He performed a thankless job admirably for 12 years and deserves some time off. But I, for one, already miss Full Disclosure. So I decided to make a new list today which is a successor in name and spirit. Like the old one, it uses Mailman and is being archived by my Seclists.org site as well as numerous other archives around the world. This list is a fresh start, so the old userbase won't automatically transfer over. And I haven't added any of you either, because it is your choice. ... I hope you'll join us and resume posting your security info and advisories. If not now, then someday."

MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data

Soulskill posted about 5 months ago | from the what-about-when-leak-exists-between-keyboard-and-chair dept.

Encryption 90

rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. They've redesigned the entire approach to securing online data by creating Mylar, which builds and updates applications to keep data secure from server breaches with constant encryption during storage, only decrypting the data in the user's browser. Integrated with the open-source Meteor framework, a Mylar prototype has already secured six applications by changing only 35 lines of code."

Remote ATM Attack Uses SMS To Dispense Cash

timothy posted about 5 months ago | from the $$$-rofl-omg-$$$ dept.

Security 150

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

Big Data Breaches Give Credit Monitoring Services a Boost

timothy posted about 5 months ago | from the glaziers-love-broken-windows dept.

The Almighty Buck 48

Hugh Pickens DOT Com (2995471) writes "As attacks like the one on Target have exposed up to 40 million customer payment card accounts and the names, addresses and email addresses of as many as 70 million shoppers, Tiffany Hsu and E. Scott Reckard report in the LA Times that increased activity by data hackers has produced millions of victims but there has been one big winner: credit monitoring businesses. "It's almost a terrible thing to say, but these kinds of situations raise awareness of the need to protect yourself and to be more vigilant in checking your transactions," says Yaron Samid. Meanwhile services with names such as BillGuard and Identity Guard report a surge in sign-ups from people anxious to be protected. For example, the number of AAA Southern California members opting in for the club's identity theft monitoring service — whether for free or for an extra charge — boomed in January, up 58% from December." (More below.)

Microsoft Word Zero-Day Used In Targeted Attacks

Unknown Lamer posted about 5 months ago | from the upgrade-your-word-processor dept.

Microsoft 88

wiredmikey (1824622) writes "Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word 2010 that is being actively exploited in targeted attacks. If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges. 'The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,' Microsoft explained Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft."

Ask Slashdot: Moving From Tech Support To Development?

timothy posted about 4 months ago | from the which-flavor-of-ice-cream? dept.

Programming 133

An anonymous reader writes "My eastern European tech-support job will be outsourced in 6 months to a nearby country. I do not wish to move, having relationship and roots here, and as such I stand at a crossroads. I could take my current hobby more seriously and focus on Java development. I have no degree, no professional experience in the field, and as such, I do not hold much market value for an employer. However, I find joy in the creative problem solving that programming provides. Seeing the cogs finally turn after hours invested gives me pleasures my mundane work could never do. The second option is Linux system administration with a specialization in VMware virtualisation. I have no certificates, but I have been around enterprise environments (with limited support of VMware) for 21 months now, so at the end of my contract with 27 months under my belt, I could convince a company to hire me based on willingness to learn and improve. All the literature is freely available, and I've been playing with VDIs in Debian already.

My situation is as follows: all living expenses except food, luxuries and entertainment is covered by the wage of my girlfriend. That would leave me in a situation where we would be financially alright, but not well off, if I were to earn significantly less than I do now. I am convinced that I would be able to make it in system administration, however, that is not my passion. I am at an age where children are not a concern, and risks seem to be, at first sight, easier to take. I would like to hear the opinion and experience of fellow readers who might have been in a similar situation."

One Billion Android Devices Open To Privilege Escalation

timothy posted about 5 months ago | from the that's-beeeeeellion dept.

Android 117

msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.

The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said."
Handily enough, the original paper is not paywalled.

Fake PGP Keys For Crypto Developers Found

timothy posted about 5 months ago | from the who-you-say-you-are dept.

Encryption 110

IamTheRealMike (537420) writes "In recent months fake PGP keys have been found for at least two developers on well known crypto projects: Erinn Clark, a Tor developer and Gavin Andresen, the maintainer of Bitcoin. In both cases, these PGP keys are used to sign the downloads for popular pieces of crypto software. PGP keys are supposed to be verified through the web of trust, but in practice it's very hard to find a trust path between two strangers on the internet: one reply to Erinn's mail stated that despite there being 30 signatures [attached to] her key, [the respondent] couldn't find any trust paths to her. It's also very unclear whether anyone would notice a key substitution attack like this. This leaves three questions: who is doing this, why, and what can be done about it? An obvious candidate would be intelligence agencies, who may be trying to serve certain people with backdoored binaries via their QUANTUMTHEORY man-in-the-middle system. As to what can be done about it, switching from PGP to X.509 code signing would be an obvious candidate. Both Mac and Windows support it, obtaining a forged certificate is much harder than simply uploading a fake PGP key, and whilst X.509 certs can be issued in secret until Google's Certificate Transparency system is fully deployed, finding one would be strong evidence that an issuing CA had been compromised: something that seems plausible but for which we currently lack any evidence. Additionally, bad certificates can be revoked when found whereas beyond making blog posts, not much can be done about the fake PGP keys."

WPA2 Wireless Security Crackable WIth "Relative Ease"

timothy posted about 5 months ago | from the relatively-absolute dept.

Wireless Networking 150

An anonymous reader writes "Achilleas Tsitroulis of Brunel University, UK, Dimitris Lampoudis of the University of Macedonia, Greece and Emmanuel Tsekleves of Lancaster University, UK, have investigated the vulnerabilities in WPA2 and present its weakness. They say that this wireless security system might now be breached with relative ease [original, paywalled paper] by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2 in order to bolster its security or to develop alternative protocols to keep our wireless networks safe from hackers and malware."

Docker Turns 1: What's the Future For Open Source Container Tech?

timothy posted about 5 months ago | from the within-and-beneath-additional-layers dept.

Software 65

darthcamaro (735685) writes "Docker has become one of the most hyped open-source projects in recent years, making it hard to believe the project only started one year ago. In that one year, Docker has now gained the support of Red Hat and other major Linux vendors. What does the future hold for Docker? Will it overtake other forms of virtualization or will it just be a curiosity?"

More On the Disposable Tech Worker

Soulskill posted about 5 months ago | from the always-recycle-them-when-you're-finished-using-them dept.

Businesses 323

Jim_Austin writes "At a press conference this week, in response to a question by a Science Careers reporter, Scott Corley, the Executive Director of immigration-reform group Compete America, argued that retraining workers doesn't make sense for IT companies. For the company, he argued, H-1B guest workers are a much better choice. 'It's not easy to retrain people,' Corley said. 'The further you get away from your education the less knowledge you have of the new technologies, and technology is always moving forward.'"

Speedy Attack Targets Web Servers With Outdated Linux Kernels

Soulskill posted about 5 months ago | from the update-your-junk dept.

Security 93

alphadogg writes "Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, according to Cisco Systems. All the affected servers were running the 2.6 version, first released in December 2003. 'When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied,' Cisco said. After the Web server has been compromised, the attackers slip in a line of JavaScript to other JavaScript files within the website. That code bounces the website's visitors to a second compromised host. 'The two-stage process allows attackers to serve up a variety of malicious content to the visitor,' according to Cisco."

Linux May Succeed Windows XP As OS of Choice For ATMs

Soulskill posted about 5 months ago | from the cash-from-a-penguin dept.

Linux Business 367

Dega704 sends this news from ComputerWorld: "Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles. Pushing them in that direction apparently is Microsoft's decision to end support for Windows XP on April 8, said David Tente, executive director, USA, of the ATM Industry Association. 'There is some heartburn in the industry' over Microsoft's end-of-support decision, Tente said. ATM operators would like to be able to synchronize their hardware and software upgrade cycles. But that's hard to do with Microsoft dictating the software upgrade timetable. As a result, 'some are looking at the possibility of using a non-Microsoft operating system to synch up their hardware and software upgrades,' Tente said."

Inside NSA's Efforts To Hunt Sysadmins

Soulskill posted about 5 months ago | from the most-sedentary-sport dept.

IT 147

An anonymous reader writes "The Snowden revelations continue, with The Intercept releasing an NSA document titled 'I hunt sys admins' (PDF on Cryptome). The document details NSA plans to break into systems administrators' computers in order to gain access to the networks they control. The Intercept has a detailed analysis of the leaked document. Quoting: 'The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. "Who better to target than the person that already has the ‘keys to the kingdom’?" one of the posts says.'"

Working with Real-Time Analytics as a Service (Video)

Roblimo posted about 5 months ago | from the knowledge-you-might-need-someday-even-if-you-don't-need-it-now dept.

Stats 15

This is wide-ranging interview with Dev Patel and Poulomi Damany of BitYota, an Analytics as a Service startup that works specifically with MongoDB. Open Source? Not yet. But hopefully soon, they say. And why should an IT person or programmer care about marketing-oriented analytics? Because the more you know about functions in your company besides IT (such as finance, investor relations, and -- yes -- marketing), the more valuable you are as an employee. Dev also mentions the two main things he looks for when recruiting for BitYota: "One is intellect, and the other is attitude." He points out that this is not true merely of BitYota, but of any strong startup. This is all good information for any job-seeker hoping to land a spot with a startup -- and for anyone who is happy with where he or she works but hopes to earn promotions and raises, too.

Tor Project: Fake Tor App Has Been In Apple's App Store For Months

Unknown Lamer posted about 5 months ago | from the well-he-paid-his-developer-fees-so-... dept.

Iphone 78

itwbennett (1594911) writes "For the past several months Tor developers have unsuccessfully been trying to convince Apple to remove from its iOS App Store what they believe to be a fake and potentially malicious Tor Browser application. According to subsequent messages on the bug tracker, a complaint was filed with Apple on Dec. 26 with Apple reportedly responding on Jan. 3 saying it would give a chance to the app's developer to defend it. More than two months later, the Tor Browser app created by a developer named Ronen is available still in the App Store. The issue came into the public spotlight Wednesday when people involved in the Tor Project took to Twitter to make their concerns heard. Apple did not respond to IDG News Service's request for comment."

Gmail Goes HTTPS Only For All Connections

Unknown Lamer posted about 5 months ago | from the nsa-already-has-the-private-key dept.

Google 141

Trailrunner7 (1100399) writes "Perhaps no company has been as vocal with its feelings about the revelations about the NSA's collection methods as Google has, and the company has been making a series of changes to its infrastructure in recent months to make it more difficult for adversaries to snoop on users' sessions. The biggest of those changes landed Thursday when the company switched its Gmail service to HTTPS only, enforcing SSL encryption on all Gmail connections. The change is a significant one, especially given the fact that Google also has encrypted all of the links between its data centers. Those two modifications mean that Gmail messages are encrypted from the time they leave a user's machine to the time they leave Google's infrastructure. This makes life much more difficult for anyone—including the NSA–who is trying to snoop on those Gmail sessions." GMail also does TLS for SMTP, but regrettably Talk (what's left of it) does not do TLS for XMPP server-to-server connections, effectively forcing XMPP server admins to lower their security if they want to federate with Google.

Bitcoin's Software Gets Security Fixes, New Features

Unknown Lamer posted about 5 months ago | from the don't-modify-that-transaction dept.

Bitcoin 173

itwbennett (1594911) writes "The software driving Bitcoin's network was upgraded Wednesday, with security fixes addressing a problem that defunct bitcoin exchange Mt. Gox blamed for losing nearly half a billion dollars worth of bitcoins. The latest version of bitcoin's software, 0.9.0, contains more than a half dozen fixes for transaction malleability, according to the release notes for the software. Bitcoin Core also contains a new feature for payment requests. Previously, merchants couldn't attach a note describing an invoice, and people also could not supply a refund address to a merchant. The latest version automatically supplies a refund address." This wouldn't have prevented the Mt. Gox implosion since they weren't using the reference implementation. The foundation also renamed the software to "Bitcoin Core" to avoid confusion between Bitcoin-the-network and Bitcoin-the-reference-implementation,

UK To Create Alan Turing Institute

samzenpus posted about 5 months ago | from the brand-new dept.

United Kingdom 62

kc123 writes "The UK government has announced plans to create the Alan Turing Institute intended to tackle problems in Big Data. The government will provide £42m over five years for the project. Turing was a pivotal figure in mathematics and computing. His codebreaking work led to the cracking of the German 'Enigma' codes. In December 2013, after a series of public campaigns, Turing received a posthumous royal pardon, for a conviction of homosexual activity in 1952."

Security Industry Incapable of Finding Firmware Attackers

Unknown Lamer posted about 5 months ago | from the just-use-coreboot dept.

Security 94

New submitter BIOS4breakfast writes "Research presented at CanSecWest has shown that despite the fact that we know that firmware attackers, in the form of the NSA, definitely exist, there is still a wide gap between the attackers' ability to infect firmware, and the industry's ability to detect their presence. The researchers from MITRE and Intel showed attacks on UEFI SecureBoot, the BIOS itself, and BIOS forensics software. Although they also released detection systems for supporting more research and for trustworthy BIOS capture, the real question is: when is this going to stop being the domain of research and when are security companies going to get serious about protecting against attacks at this level?"

Full-Disclosure Security List Suspended Indefinitely

Unknown Lamer posted about 5 months ago | from the poking-the-hornet's-nest-for-12-years dept.

Censorship 162

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing."
The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.

Malware Attack Infected 25,000 Linux/UNIX Servers

Soulskill posted about 5 months ago | from the sudo-configure-your-stuff-properly dept.

Security 220

wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."

A Call For Rollbacks To Previous Versions of Software

timothy posted about 5 months ago | from the forced-upgrades-are-a-pox-on-the-world dept.

Software 199

colinneagle writes "In a blog post, Andy Patrizio laments the trend — made more common in the mobile world — of companies pushing software updates ahead without the ability to roll back to previous versions in the event that the user simply doesn't like it. iOS 7.1, for example, has reportedly been killing some users' battery power, and users of the iTunes library app TuneUp will remember how the much-maligned version 3.0 effectively killed the company behind it (new owners have since taken over TuneUp and plans to bring back the older version).

The ability to undo a problematic install should be mandatory, but in too many instances it is not. That's because software developers are always operating under the assumption that the latest version is the greatest version, when it may not be. This is especially true in the smartphone and tablet world. There is no rollback to be had for anything in the iOS and Android worlds. Until the day comes when software developers start releasing perfectly functioning, error-free code, we need the ability to go backwards with all software."

Camera Module Problems May Delay Samsung's Galaxy S5

timothy posted about 5 months ago | from the tiny-little-pieces dept.

Bug 70

concertina226 writes "There's less than a month to go before Samsung launches its new flagship Galaxy S5 smartphone worldwide on 11 April, and the new device has still not gone into mass production due to camera module manufacturing problems. The 16 megapixel camera module consists of six plastic pieces, one more piece than in the existing 13 megapixel camera modules in the Galaxy S4. The problem that Samsung is having is that even though the number of plastic pieces has gone up, the thickness of each piece has remained the same, so in order to fit the new camera module into the Galaxy S5, the lens makers will likely have to develop new technology to make thinner lenses. Not only that, joining six pieces together instead of five for the 13 megapixel camera modules increases the risk of optical faults surfacing at the lens manufacturers' plants dramatically."

Is Analog the Fix For Cyber Terrorism?

Unknown Lamer posted about 5 months ago | from the security-through-obsolescence dept.

Security 245

chicksdaddy writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls 'analog hard stops' to cyber attacks. Langner cautions against the wholesale embrace of digital systems by stating the obvious: that 'every digital system has a vulnerability,' and that it's nearly impossible to rule out the possibility that potentially harmful vulnerabilities won't be discovered during the design and testing phase of a digital ICS product. ... For example, many nuclear power plants still rely on what is considered 'outdated' analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests."
Or maybe you could isolate control systems from the Internet.

Kaspersky: Mt. Gox Data Archive Contains Bitcoin-Stealing Malware

Unknown Lamer posted about 5 months ago | from the trusting-random-zip-files-considered-harmful dept.

Security 169

itwbennett writes "An archive containing transaction records from Mt. Gox that was released on the Internet last week also contains bitcoin-stealing malware for Windows and Mac, say researchers at Kaspersky Lab who have analyzed the 620MB file called MtGox2014Leak.zip. The files masquerade as Windows and Mac versions of a custom, back-office application for accessing the transaction database of Mt. Gox. However, they are actually malware programs designed to search and steal Bitcoin wallet files from computers, Kaspersky security researcher Sergey Lozhkin said Friday in a blog post."

Aussie Attorney General's War On Encrypted Web Services

samzenpus posted about 5 months ago | from the no-code-for-you dept.

Encryption 151

Bismillah writes "If Attorney-General Brandis gets his way in the process of revising Australia's Telecommunications Interception Act, users and providers of VPNs and other encrypted services will by law be required to decrypt government intercepted data. Because, 'sophisticated criminals and terrorists.' New Zealand already has a similar law, the Telecommunications Interception and Computer Security Act. Apparently, large Internet service providers such as Microsoft and Facebook won't be exempt from the TICSA and must facilitate interception of traffic."

Firefox Was the Most Attacked & Exploited Browser At Pwn2own 2014

Soulskill posted about 5 months ago | from the foxes-provide-the-best-sport dept.

Firefox 207

darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."

Ask Slashdot: Best Management Interface On an IT Appliance?

timothy posted about 5 months ago | from the one-you-never-need dept.

GUI 114

tippen writes "The management user interface on most networking and storage appliances are, shall we say, not up to the snuff compared to modern websites or consumer products. What are the best examples of good UX design on an IT appliance that you've managed? What was it that made you love it? What should companies (or designers) developing new products look to as best-in-class that they should be striving for?"

How Data Storage Has Grown In the Past 60 Years

timothy posted about 5 months ago | from the megaleaps-and-gigabounds dept.

Data Storage 100

Lucas123 writes "Imagine that in 1952, an IBM RAMAC 350 disk drive would have been able to hold only one .MP3 song. Today, a 4TB 3.5-in desktop drive (soon to be 5TB) can hold 760,000 songs. As much data as the digital age creates (2.16 Zettabytes and growing), data storage technology has always found a way to keep up. It is the fastest growing semiconductor technology there is. Consider a microSD card that in 2005 could store 128MB of capacity. Last month, SanDisk launched a 128GB microSD card — 1,000 times the storage in under a decade. While planar NAND flash is running up against a capacity wall, technology such as 3D NAND and Resistive Random Access Memory (RRAM) hold the promise of quadrupling of solid state capacity. Here are some photos of what was and what is in data storage."

U.S. Aims To Give Up Control Over Internet Administration

timothy posted about 5 months ago | from the at-long-last dept.

The Internet 279

schwit1 writes with this excerpt from the Washington Post: "U.S. officials announced plans Friday to relinquish federal government control over the administration of the Internet, a move likely to please international critics but alarm some business leaders and others who rely on smooth functioning of the Web.

Pressure to let go of the final vestiges of U.S. authority over the system of Web addresses and domain names that organize the Internet has been building for more than a decade and was supercharged by the backlash to revelations about National Security Agency surveillance last year."
Reader Midnight_Falcon points out this press release on the move from Commerce Department’s National Telecommunications and Information Administration.

Target Ignored Signs of Data Breach

Soulskill posted about 5 months ago | from the making-themselves-quite-a-target dept.

Security 95

puddingebola writes "Target ignored indications from its threat-detection tools that malware had infected its network. From the article, 'Unusually for a retailer, Target was even running its own security operations center in Minneapolis, according to a report published Thursday by Bloomberg Businessweek. Among its security defenses, following a months-long testing period and May 2013 implementation, was software from attack-detection firm FireEye, which caught the initial November 30 infection of Target's payment system by malware. All told, up to five "malware.binary" alarms reportedly sounded, each graded at the top of FireEye's criticality scale, and which were seen by Target's information security teams first in Bangalore, and then Minneapolis.' Unfortunately, it appears Target's security team failed to act on the threat indicators."

Weak Apple PRNG Threatens iOS Exploit Mitigations

Soulskill posted about 5 months ago | from the also-makes-you-lose-at-poker dept.

Encryption 143

Trailrunner7 writes "A revamped early random number generator in iOS 7 is weaker than its vulnerable predecessor and generates predictable outcomes. A researcher today at CanSecWest said an attacker could brute force the Early Random PRNG used by Apple in its mobile operating system to bypass a number of kernel exploit mitigations native to iOS. 'The Early Random PRNG in iOS 7 is surprisingly weak,' said Tarjei Mandt senior security researcher at Azimuth Security. 'The one in iOS 6 is better because this one is deterministic and trivial to brute force.' The Early Random PRNG is important to securing the mitigations used by the iOS kernel. 'All the mitigations deployed by the iOS kernel essentially depend on the robustness of the Early Random PRNG,' Mandt said. 'It must provide sufficient entropy and non-predictable output.'"

A Look at the NSA's Most Powerful Internet Attack Tool

samzenpus posted about 5 months ago | from the big-gun dept.

United States 154

realized writes in with a closer look at the NSA's QUANTUM system. "Today QUANTUM packs a suite of attack tools, including both DNS injection (upgrading the man-on-the-side to a man-in-the-middle, allowing bogus certificates and similar routines to break SSL) and HTTP injection. That reasonable enough. But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party's database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.) And it allows the NSA to hijack both IRC and HTTP-based criminal botnets, and also includes routines which use packet-injection to create phantom servers, and even attempting (poorly) to use this for defense."

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>