Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.
Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and learn more about it. Thanks for reading, and for making the site better!
Bismillah (993337) writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012." Quoting the security advisory: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server." The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application.
First time accepted submitter ControlsGeek (156589) writes "The Raspberry Pi Foundation has developed a new product. It is basically a Raspberry Pi model A processor, memory, and flash memory on a DDR2-style SODIMM connector. Also available will be a development board that breaks out all the internal connections. The board design will be open sourced so you can develop your own devices using the BCM2835 processor. No network, but support for 2 HDMI displays and 2 cameras, so 3D TV is a possibility.
An anonymous reader writes "Despite whispers of growing dissatisfaction among consumers, there are still very few ISP start-ups popping up in communities all over the U.S. There are two main reasons for this: up-front costs and legal obstacles. The first reason discourages anyone who doesn't have Google's investors or the local government financially supporting them from even getting a toe in the business. 'Financial analysts last year estimated that Google had to spend $84 million to build a fiber network that passed 149,000 homes in Kansas City, with the cost per home at $500 to $674.' The second reason will keep any new start-up defending itself in court against frivolous lawsuits incumbent ISP providers have been known to file to bleed the newcomers dry in legal fees. There are also ISP lobbyists working to pass laws that prevent local governments from either entering the ISP market themselves or partnering with private companies to provide ISP alternatives. Given these set-backs and growing dissatisfaction with the status quo, one has to wonder how long before the U.S. recognizes the internet as a utility and passes laws and regulations accordingly."
jaa101 (627731) writes "The owner of a drone which fell and reportedly hit an athlete competing in a triathlon in Western Australia's Mid West has said he believes the device was 'hacked' into." From the article: "Mr Abrams said an initial investigation had indicted that someone nearby "channel hopped" the device, taking control away from the operator. ... Mr Abrams said it was a deliberate act and it would be difficult to determine who was responsible as something as common as a mobile phone could be used to perform a channel hop. The videographer added that there had been a similar incident when the drone was flown earlier in the day."
NicknamesAreStupid (1040118) writes "As Whoever57 pointed out, there are some who will still get support for Microsoft Windows XP — the 'haves'. However, most will be the 'have nots.' Anytime you have such market imbalance, there is opportunity. Since Microsoft clearly intends to create a disparity, there will certainly be those who defy it. What will Microsoft do to prevent bootleg patches of XP from being sold to the unwashed masses? How will they stop China from supporting 100 million bootleg XP users? And how easily will it be to crack Microsoft's controls? How big will the Windows XP patch market be?" There are a lot of businesses still on Windows XP; if you work for one of them, will the official end of life spur actually cause you to upgrade? (And if so, to what?)
rjmarvin (3001897) writes "Researchers at the U.K.'s Lancaster University have reimagined the fundamental logic behind encryption, stumbling across a radically new way to encrypt data while creating software models to simulate how the human heart and lungs coordinate rhythms. The encryption method published in the American Physical Society journal and filed as a patent entitled 'Encoding Data Using Dynamic System Coupling,' transmits and receive multiple encrypted signals simultaneously, creating an unlimited number of possibilities for the shared encryption key and making it virtually impossible to decrypt using traditional methods. One of the researchers, Peter McClintock, called the encryption scheme 'nearly unbreakable.'
According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.
An anonymous reader writes "Linux kernel developers are currently evaluating the possibility of using QR codes to display kernel oops/panic messages. Right now a lot of text is dumped to the screen when a kernel oops occurs, most of which isn't easily archivable by normal Linux end-users. With QR codes as Linux oops messages, a smart-phone could capture the display and either report the error string or redirect them to an error page on Kernel.org. The idea of using QR codes within the Linux kernel is still being discussed by upstream developers."
An anonymous reader writes "I am a new Linux user; I'm on 2nd day now. Currently I am trying out Ubuntu, but that could change. I am looking for a user friendly firewall that I can set up that lets me do these things:1) set up a default deny rule 2) carve out exceptions for these programs: browser, email client, chat client, yum and/or apt. 3) carve out exceptions to the exceptions in requirement 2 — i.e. I want to be able to then block off IPs and IP ranges known to be used by malware, marketers, etc., and all protocols which aren't needed for requirement 2. It also needs to have good enough documentation that a beginner like me can figure it out. Previously, I had done all of the above in AVG Firewall on Windows, and it was very easy to do. So far, I have tried these things:1) IPTABLES — it looked really easy to screw it up and then not notice that it's screwed up and/or not be able to fix it even if I did notice, so I tried other things at that point... 2) searched the internet and found various free firewalls such as Firestarter, GUFW, etc., which I weren't able to make meet my requirements. Can someone either point me to a firewall that meets my needs or else give me some hints on how to make firestarter or GUFW do what I need?"
An anonymous reader writes "Since Edward Snowden started making NSA files public last year, GSMK has seen a jump in sales. There are more than 100,000 CryptoPhones in use today. How secure they really are will be determined in the future. But I'm sure that some government agencies, not just in the U.S., are very interested in getting a list of users." For the price the company's charging for a modified Galaxy S3, it had better be as secure as they claim; otherwise, the free and open source RedPhone from Moxie Marlinspike's Whisper Systems seems like something to think about first.
An anonymous reader writes "Microsoft [Thursday] announced a change to how it handles adware, a form of malware that pushes unwanted advertisements to the user. As of July 1, the company's security products will immediately stop any adware they detect and notify the user, who can then restore the program if they wish. Currently, when any of Microsoft's security products (including Microsoft Security Essentials and Microsoft Forefront) detects a program as adware, it will alert the user and offer them a recommended action. If the user doesn't do anything, the security product will let the program continue to run until the user makes a decision." If adware is malware, why wait until July?
whoever57 (658626) writes "The UK Government has signed a contract worth £5.5M (almost $9M) for extended support and security updates for Windows XP for 12 months after April 8. The deal covers XP, Exchange 2003 and Office 2003 for users in central and local government, schools and the National Health Service. The NHS is in need of this deal because it was estimated last September that 85% of the NHS's 800,000 computers were running XP."
mspohr (589790) writes with this news from the BBC: "The discovery of bugs in software used to run oil rigs, refineries and power plants has prompted a global push to patch the widely used control system. The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations. The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs. About 7,600 plants around the world are using the vulnerable software. 'We went from zero to total compromise,' said Juan Vazquez, a researcher at security firm Rapid7 who, with colleague Julian Diaz, found several holes in Yokogawa's Centum CS 3000 software which was first released to run on Windows 98 to monitor and control machinery in many large industrial installations. The researchers also explored other SCADA software: 'We ended up finding over 1,000 bugs in 100 days.'" The vulnerabilities reported are in Yokogawa's Centum CS 300 industrial control software.
fructose writes: "The Nest Protect has a flaw in its software that, under the right circumstances, could disable the alarm and not notify the owners of a fire. To remedy this flaw, they are disabling the Nest Wave feature through automatic updates. Owners who don't have their Nest Protects connected to their WiFi net or don't have a Nest account are suggested to either update the device manually or return it to Nest for a full refund. While they work out the problem, all sales are being halted to prevent unsafe units from being sold. There have been no reported incidents resulting from this flaw, but they aren't taking any chances."
chicksdaddy writes: "The pervasiveness of the NSA's spying operation has turned it into a kind of bugaboo — the monster lurking behind every locked networking closet and the invisible hand behind every flawed crypto implementation. Those inclined to don the tinfoil cap won't be reassured by Vint Cerf's offhand observation in a Google Hangout on Wednesday that, back in the mid 1970s, the world's favorite intelligence agency may have also stood in the way of stronger network layer security being a part of the original specification for TCP/IP. (Video with time code.) Researchers at the time were working on just such a lightweight cryptosystem. On Stanford's campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described the functioning of a public key cryptography system. But they didn't yet have the algorithms to make it practical. (Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977). As it turns out, however, Cerf did have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren't they used? The crypto tools were part of a classified NSA project he was working on at Stanford in the mid 1970s to build a secure, classified Internet. 'At the time I couldn't share that with my friends,' Cerf said."
New submitter Smiffa2001 writes: "The BBC reports that five-year-old Kristoffer Von Hassel from San Diego has uncovered a (frankly embarrassing) security flaw within the Xbox One login screen. Apparently by entering an incorrect password in the first prompt and then filling the second field with spaces, a user can log in without knowing a password to an account. Young Kristoffer's dad submitted the flaw to Microsoft — who have patched the flaw — and have generously provided four free games, $50, a year-long subscription to Xbox Live and an entry on their list of Security Researcher Acknowledgments."
mask.of.sanity writes: "A security researcher says he has developed a method to score free flights across Europe by generating fake boarding passes designed for Apple's Passbook app. The 18-year-old computer science undergrad didn't reveal the 'bypass' which gets the holder of the fraudulent ticket past the last scanner and onto the jetway; he's saving that for his talk at Hack in the Box in Amsterdam next month."
atrader42 (687933) writes "Microsoft announced a new .NET compiler that compiles .NET code to native code using the C++ compiler backend. It produces performance like C++ while still enabling .NET features like garbage collection, generics, and reflection. Popular apps have been measured to start up to 60% faster and use 15% less memory. The preview currently only supports Windows Store applications, but is expected to apply to more .NET applications in the long term. A preview of the compiler is available for download now. (Caveat: I both work for MS and read Slashdot.)"
An anonymous reader writes "Researchers at New York University have devised a new scheme called PolyPassHash for storing password hash data so that passwords cannot be individually cracked by an attacker. Instead of a password hash being stored directly in the database, the information is used to encode a share in a Shamir Secret Store (technical details PDF). This means that a password cannot be validated without recovering a threshold of shares, thus an attacker must crack groups of passwords together. The solution is fast, easy to implement (with C and Python implementations available), requires no changes to clients, and makes a huge difference in practice. To put the security difference into perspective, three random 6 character passwords that are stored using standard salted secure hashes can be cracked by a laptop in an hour. With a PolyPassHash store, it would take every computer on the planet longer to crack these passwords than the universe is estimated to exist. With this new technique, HoneyWords, and hardware solutions all available, does an organization have any excuse if their password database is disclosed and user passwords are cracked?."
MojoKid (1002251) writes "Today, Qualcomm is announcing full support for a new wireless transmission method that could significantly boost performance on crowded networks. The new standard, MU-MIMO (Multiple User — Multiple Input and Multiple Output) has a clunky name — but could make a significant difference to home network speeds and make gigabit WiFi a practical reality. MU-MIMO is part of the 802.11ac Release 2 standard, so this isn't just a custom, Qualcomm-only feature. In SU-MIMO mode, a wireless router creates time slices for every device it detects on the network. Every active device on the network slows down the total system bandwidth — the router has to pay attention to every device, and it can only pay attention to one phone, tablet, or laptop at a time. The difference between single-user and multi-user configurations is that where SU can only serve one client at a time and can therefore only allocate a fraction of total bandwidth to any given device, MU can create groups of devices and communicate with all three simultaneously."
An anonymous reader writes "In an unprecedented total disruption of a fully operational GNSS constellation, all satellites in the Russian GLONASS broadcast corrupt information for 11 hours, from just past midnight until noon Russian time (UTC+4), on April 2 (or 5 p.m. on April 1 to 4 a.m. April 2, U.S. Eastern time). This rendered the system completely unusable to all worldwide GLONASS receivers."
Lucas123 writes: "A presentation released today by Intel revealed images of the USB 3.1 Type-C cable and connectors, which is symmetrical and will no longer require a user to correctly orient the plug. Initially, the USB 3.1 Type-C specification will support up to 10Gbps data transfer speeds. The Type-C connectors resemble those of Apple's Thunderbolt cabling in that they are much smaller than today's USB SuperSpeed connectors. The receptacle opening is 8.3mm x 2.5mm.The first iteration will have a 5 volt power transfer rate, but it is expected to deliver up to 100 watts for higher power applications in the future."
benrothke (2577567) writes "When it comes to documenting the history of cryptography, David Kahn is singularly one of the finest, if not the finest writers in that domain. For anyone with an interest in the topic, Kahn's works are read in detail and anticipated. His first book was written almost 50 years ago: The Codebreakers – The Story of Secret Writing; which was a comprehensive overview on the history of cryptography. Other titles of his include Seizing the Enigma: The Race to Break the German U-Boats Codes, 1939-1943. The Codebreakers was so good and so groundbreaking, that some in the US intelligence community wanted the book banned. They did not bear a grudge, as Kahn became an NSA scholar-in-residence in the mid 1990's. With such a pedigree, many were looking forward, including myself, to his latest book How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code. While the entire book is fascinating, it is somewhat disingenuous, in that there is no new material in it. Many of the articles are decades old, and some go back to the late 1970's. From the book description and cover, one would get the impression that this is an all new work. But it is not until ones reads the preface, that it is detailed that the book is simple an assemblage of collected articles." Keep reading for the rest of Ben's review.
Chester Wisniewski's nakedsecurity describes Wisniewski's specialty thus: "He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics." So he's obviously someone who might know a little about preventing future Target-style security debacles. We've also interviewed tech journalist Wayne Rash about this topic, and will probably interview another security expert or two. Many Slashdot users may find all this credit card security talk boring, but for those who handle security matters for a living, especially for retailers, it's vital information. So here's Tim Lord talking with Chet, who is a recognized security expert for Sophos, one of the big dogs in the IT security field, when Chet was in Texas for the latest iteration of Security B-Sides in Austin. (Alternate video link.)
Nemo the Magnificent (2786867) writes "A friend of mine bought a Western Digital 'MyCloud' NAS server (non-RAID) a couple of weeks ago. WD implements the cloud service through its wd2go.com site. He reports that that site is down and has been since last Wednesday. No word on when it'll be back up. The only official announcements are daily repeats of this canned posting: 'Our My Cloud and My Book Live users are experiencing intermittent issues with WD servers that enable remote access when using these products. These issues include poor transfer speeds and/or inability to connect remotely. We sincerely apologize for this inconvenience and we are working very hard to resolve these issues and resume normal service as soon as possible. We thank you for your patience and will provide updates as they are available.'"
UnderAttack (311872) writes "The SANS Internet Storm Center got an interesting story about how some of the devices scanning its honeypot turned out to be infected DVRs. These DVRs are commonly used to record footage from security cameras, and likely got infected themselves due to weak default passwords (12345). Now they are being turned into bots (but weren't they bots before that?) and are used to scan for Synology Disk Stations who are vulnerable. In addition, these DVRs now also run a copy of a bitcoin miner. Interestingly, all of this malware is compiled for ARM CPUs, so this is not a case of standard x86 exploits that happen to hit an embedded system/device."
Rambo Tribble (1273454) writes "Reuters is reporting that the U.S. National Security Agency managed to have security firm RSA adopt not just one, but two security tools, further facilitating NSA eavesdropping on Internet communications. The newly discovered software is dubbed 'Extended Random', and is intended to facilitate the use of the already known 'Dual Elliptic Curve' encryption software's back door. Researchers from several U.S. universities discovered Extended Random and assert it could help crack Dual Elliptic Curve encrypted communications 'tens of thousands of times faster'."
An anonymous reader writes: "Nitesh Dhanjani has written a paper outlining the security mechanisms surrounding the Tesla Model S, as well as its shortcomings, titled 'Cursory Evaluation of the Tesla Model S: We Can't Protect Our Cars Like We Protect Our Workstations.' Dhanjani says users are required to set up an account secured by a six-character password when they order the car. This password is used to unlock a mobile phone app and to gain access to the user's online Tesla account. The freely available mobile app can locate and unlock the car remotely, as well as control and monitor other functions.
The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account. An attacker might guess the password via a Tesla website, which Dhanjani says does not restrict the number of incorrect login attempts. Dhanjani said there is also evidence that Tesla support staff can unlock cars remotely, leaving car owners vulnerable to attackers impersonating them, and raising questions about the apparent power of such employees to locate and unlock any car with or without the owner's knowledge or permission. In his paper, Dhanjani also describes the issue of Tesla's REST APIs being used by third parties without Tesla's permission, causing Tesla owners' credentials to be sent to those third parties, who could misuse the information to locate and unlock cars."
darthcamaro (735685) writes "Red Hat's open source oVirt project hit a major milestone this week with the release of version 3.4. It's got improved storage handling so users can mix and match different resource types, though the big new feature is one that seems painfully obvious. For the first time oVirt users can have the oVirt Manager and oVirt VMs on the same physical machine. 'So, typically, customers deployed the oVirt engine on a physical machine or on a virtual machine that wasn't managed or monitored,' Scott Herold, principal product manager for Red Hat Enterprise Virtualization said. 'The oVirt 3.4 release adds the ability for oVirt to self-host its engine, including monitoring and recovery of the virtual machine.'" (Wikipedia describes oVirt as "a free platform virtualization management web application community project.")
dotancohen (1015143) writes "It is commonly said that open source software is preferable because if you need something changed, you can change it yourself. Well, I am not an Xorg developer and I cannot maintain a separate Xorg fork. Xorg version 1.13.1 introduced a bug which breaks the "Sticky Keys" accessibility option. Thus, handicapped users who rely on the feature cannot use Xorg-based systems with the affected versions and are stuck on older software versions. Though all pre-bug Linux distros are soon scheduled for retirement, there seems to be no fix in sight. Should disabled users stick with outdated, vulnerable, and unsupported Linux distros or should we move to OS-X / Windows?
The prospect of changing my OS, applications, and practices due to such an ostensibly small issue is frightening. Note that we are not discussing 'I don't like change' but rather 'this unintentional change is incompatible with my physical disability.' Thus this is not a case of every change breaks someone's workflow."
An anonymous reader writes "The makers of two major mobile apps, Fandango and Credit Karma, have settled with the Federal Trade Commission after the commission charged that they deliberately misrepresented the security of their apps and failed to validate SSL certificates. The apps promised users that their data was being sent over secure SSL connections, but the apps had disabled the validation process. The settlements with the FTC don't include any monetary penalties, but both companies have been ordered to submit to independent security audits every other year for the next 20 years and to put together comprehensive security programs."
An anonymous reader writes "Security engineers from Google have found that 21 out of the top 25 news organizations have been targeted by cyberattacks that are likely state-sponsored. We've heard about some high profile attacks on news sites, but Google actively tracks the countries that are launching these attacks, and even hosts email services for many of the news organizations. 'Huntley said Chinese hackers recently gained access to a major Western news organization, which he declined to identify, via a fake questionnaire emailed to staff. Most such attacks involve carefully crafted emails carrying malware or directing users to a website crafted to trick them into giving up credentials. Marquis-Boire said that while such attacks were nothing new, their research showed that the number of attacks on media organizations and journalists that went unreported was significantly higher than those made public.'"
coondoggie writes "By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement: the Secret Service and Federal Bureau of Investigation. But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance? The agencies do the one thing companies don't do. They attack the problem from the other end by looking for evidence that a crime has been committed. Agents go undercover in criminal forums where stolen payment cards, customer data and propriety information are sold. They monitor suspects and sometimes get court permission to break into password-protected enclaves where cyber-criminals lurk."
concertina226 (2447056) writes "Chinese authorities have detained a total of 1,530 suspects in a crackdown on spam SMS text messages being sent out by illegal telecoms equipment, according to Chinese news agency ECNS. Over 2,600 fake mobile base stations were seized and 24 sites manufacturing illegal telecoms equipment shut down as part of a massive nationwide operation involving nine central government and Communist Party of China departments. A report released by Trend Micro this month looked into the telecoms equipment black market in China (PDF) and found that cybercriminals routinely use either a GSM modem, an internet short message gateway and an SMS server to send out spam messages. On the underground market, SMS servers come in 'all-in-one' packages that include a laptop, a GSM mobile phone, an SMS server, an antenna to send out the fake signal and a USB cable, all for RMB 45,000 (£4,355)."
An anonymous reader writes "As most of us working in IT may know, Microsoft will stop supporting Windows XP on April 8th, 2014. Although this fact has been known for quite some time, XP is still relatively popular in companies and also enjoys noticeable marketshare for home users. Even ATMs are running XP and will continue to do so for some time. A lot of companies/users don't want to change because they see no additional benefit to do a costly upgrade, no reason to change a running system, and they may in some cases be right with their assumptions. So what is the best way to secure this remaining Windows XP systems? Installing the latest security patches, checking firewall status and user permissions etc. should be fairly obvious, as Microsoft Security Essentials may also not receive updates anymore, changing antivirus programs seems a sensible thing to do."
mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with visual aids.
An anonymous reader writes "After hiring the lead Btrfs developers and Linux kernel block maintainers last year, Facebook is beginning trial deployments of Btrfs. Facebook will start using the next-generation file-system within their web-tier and they will be among the first major public deployments of Btrfs."
wiredmikey writes: "Russian government officials have swapped their iPads for Samsung tablets to ensure tighter security, the telecoms minister told news agencies on Wednesday. Journalists spotted that ministers at a cabinet meeting were no longer using Apple tablets, and minister Nikolai Nikiforov confirmed the changeover "took place not so long ago." He said the ministers' new Samsungs were "specially protected devices that can be used to work with confidential information." This isn't the first time Russian powers have had concerns over mobile. In August 2012, Russia unveiled a prototype tablet with its own "almost Android" mobile OS that has the remarkably familiar feel of an Android but with bolstered encryption. In an even more paranoid move, this past July a Russian state service in charge of safeguarding Kremlin communications was looking to purchase an array of old-fashioned typewriters to prevent leaks from computer hardware."
Daniel_Stuckey (2647775) writes "The FBI is intercepting the prison correspondence of infamous Internet troll Andrew "weev" Auernheimer, including letters from his defense team, according to his attorney. 'He's sent me between 10 and 20 letters in the last month or two. I've received one,' Tor Ekeland, who had just returned from visiting Auernheimer at the federal corrections institute in Allenwood, PA., told the Daily Dot in a video interview.
Last March, Auernheimer was convicted of accessing a computer without authorization and sentenced to 41 months in prison. As a member of the computer security team Goatse Security, Auernheimer discovered a major security flaw in AT&T's network, which allowed him to download the email addresses of some 114,000 iPad users. Goatse Security reported the flaw to Gawker and provided journalists with the information, who then published it in redacted form."
itwbennett writes: "A new variant of the Gameover computer Trojan is targeting job seekers and recruiters by attempting to steal log-in credentials for Monster.com and CareerBuilder.com accounts. Like the Zeus banking malware on which it is based, Gameover can steal log-in credentials and other sensitive information by injecting rogue Web forms into legitimate websites when accessed from infected computers. 'A computer infected with Gameover ZeuS will inject a new 'Sign In' button [into the Monster.com sign-in page], but the page looks otherwise identical,' security researchers from antivirus firm F-Secure said Tuesday in a blog post."
What happens when your oven is on the Internet? A malicious hacker might be able to set it to broil while you're on vacation, and get it so hot that it could start a fire. Or a prankster might set your alarm to wake you up at 3 a.m. - and what if someone gets access to the wireless security camera over your front door and uses it to gain access to the rest of your home network, and from there to your bank account? Not good. With the 'Internet of Things' you will have many devices to secure, not just a couple of computers and handheld devices. Timothy Lord met Mark Stanislav of Duo Security at BSides Austin 2014, which is where this interview took place.(Here's an alternate link to the video.)
jfruh (300774) writes "Security vendors like Trustwave can make big bucks when major companies decide they don't have the internal resources to handle their cybersecurity needs. Unfortunately, when taking on security chores, you also take on security liabilities. In the wake of Target's massive credit card security breach, both Target and Trustwave are now on the receiving end of a class action lawsuit, in part backed by banks that had to issue thousands of new credit cards." The filing, and a bit more from El Reg: "It's against Target, however, that the most serious allegations are levelled. The class action led by Trustmark National Bank and Green Bank, say the retailer should not have allowed an outside contractor the access to its network that brought about the breach, and that it violated federal and state laws in storing the credit card data on its network."
An anonymous reader writes with good news for advocates of Full Disclosure of security vulnerabilities. A week ago, the venerable full-disclosure list was shut down; now, a successor has arisen run by fyodor. From the announcement email: "As an F-D subscriber and occasional poster myself, I was as shocked as you all last week when John Cartwright threw in the towel and shuttered the list. Now I don't blame him one bit. He performed a thankless job admirably for 12 years and deserves some time off. But I, for one, already miss Full Disclosure. So I decided to make a new list today which is a successor in name and spirit. Like the old one, it uses Mailman and is being archived by my Seclists.org site as well as numerous other archives around the world. This list is a fresh start, so the old userbase won't automatically transfer over. And I haven't added any of you either, because it is your choice. ... I hope you'll join us and resume posting your security info and advisories. If not now, then someday."
rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. They've redesigned the entire approach to securing online data by creating Mylar, which builds and updates applications to keep data secure from server breaches with constant encryption during storage, only decrypting the data in the user's browser. Integrated with the open-source Meteor framework, a Mylar prototype has already secured six applications by changing only 35 lines of code."
judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."
Hugh Pickens DOT Com (2995471) writes "As attacks like the one on Target have exposed up to 40 million customer payment card accounts and the names, addresses and email addresses of as many as 70 million shoppers, Tiffany Hsu and E. Scott Reckard report in the LA Times that increased activity by data hackers has produced millions of victims but there has been one big winner: credit monitoring businesses. "It's almost a terrible thing to say, but these kinds of situations raise awareness of the need to protect yourself and to be more vigilant in checking your transactions," says Yaron Samid. Meanwhile services with names such as BillGuard and Identity Guard report a surge in sign-ups from people anxious to be protected. For example, the number of AAA Southern California members opting in for the club's identity theft monitoring service — whether for free or for an extra charge — boomed in January, up 58% from December." (More below.)
wiredmikey (1824622) writes "Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word 2010 that is being actively exploited in targeted attacks. If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges. 'The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer,' Microsoft explained Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft."
An anonymous reader writes "GitHub contains thousands of 'secret keys', which are stored in plain text and can be used by miscreants to access AWS accounts and either run up huge bills or even delete/damage the users files. Amazon is urging users of the coding community site to clean up their act."
An anonymous reader writes "My eastern European tech-support job will be outsourced in 6 months to a nearby country. I do not wish to move, having relationship and roots here, and as such I stand at a crossroads. I could take my current hobby more seriously and focus on Java development. I have no degree, no professional experience in the field, and as such, I do not hold much market value for an employer. However, I find joy in the creative problem solving that programming provides. Seeing the cogs finally turn after hours invested gives me pleasures my mundane work could never do. The second option is Linux system administration with a specialization in VMware virtualisation. I have no certificates, but I have been around enterprise environments (with limited support of VMware) for 21 months now, so at the end of my contract with 27 months under my belt, I could convince a company to hire me based on willingness to learn and improve. All the literature is freely available, and I've been playing with VDIs in Debian already.
My situation is as follows: all living expenses except food, luxuries and entertainment is covered by the wage of my girlfriend. That would leave me in a situation where we would be financially alright, but not well off, if I were to earn significantly less than I do now. I am convinced that I would be able to make it in system administration, however, that is not my passion. I am at an age where children are not a concern, and risks seem to be, at first sight, easier to take. I would like to hear the opinion and experience of fellow readers who might have been in a similar situation."
msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.
The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Handily enough, the original paper is not paywalled.