Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Restored Bletchly Park Opens

Unknown Lamer posted about 4 months ago | from the things-to-see dept.

United Kingdom 51

Graculus (3653645) writes with this excerpt from the BBC: Codebreakers credited with shortening World War Two worked in Bletchley Park, in structures built to last only a few years. Now, following a painstaking restoration, they have been brought back to life and Wednesday's official opening marks a remarkable turnaround from top secrecy to world wide attraction. With no photographs of the insides to work with, Bletchley Park looked to its most valuable resource — the veterans who worked there. A museum at the site has already been opened. The structures were once perilously close to being lost forever (until Google stepped in).

How Sabu Orchestrated the Hack of FBI Contractor ManTech

Unknown Lamer posted about 4 months ago | from the security-through-marketing dept.

Security 34

Daniel_Stuckey (2647775) writes Weeks after he started working quietly as an FBI informant, Hector Xavier Monsegur, known by his online alias "Sabu," led a cyber attack against one of the bureau's very own IT contractors. In July 2011, at Monsegur's urging, members of AntiSec, an offshoot of the hacking collective Anonymous, took advantage of compromised log-in credentials belonging to a contractor with a top secret security clearance employed at the time by ManTech International.

According to chat logs recorded by Monsegur at the behest of the FBI and obtained by Motherboard, the informant directed hackers to pilfer as much data as possible from ManTech's servers as investigators stood by. Stolen data was published as the third installment of AntiSec's ... collection of leaks intended to embarrass the same federal agency that presided over the hack and others.

Code Spaces Hosting Shutting Down After Attacker Deletes All Data

Unknown Lamer posted about 4 months ago | from the hackers-without-manners dept.

Security 387

An anonymous reader writes Code Spaces [a code hosting service] has been under DDOS attacks since the beginning of the week, but a few hours ago, the attacker managed to delete all their hosted customer data and most of the backups. They have announced that they are shutting down business. From the announcement: An unauthorized person who at this point who is still unknown (All we can say is that we have no reason to think its anyone who is or was employed with Code Spaces) had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them using a Hotmail address. Reaching out to the address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDOS.

At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel.

Nokia Extorted For Millions Over Stolen Encryption Keys

Soulskill posted about 4 months ago | from the good-showing-all-around dept.

Cellphones 89

jppiiroinen writes: At the end of 2007, when Nokia still had huge market share with Symbian devices, they failed to disclose that somebody had stolen their encryption keys and extorted them for millions of Euros. The Finnish National Bureau of Investigation has not been able to figure out who did it. "The blackmailer had gotten hold of the Symbian encryption key used for signing. The code is a few kilobytes in size. Had the key been leaked, Nokia would not have been able to ensure that the phones accept only applications approved by the company."

Researchers Outline Spammers' Business Ecosystem

timothy posted about 4 months ago | from the is-that-enough-info-to-send-the-rebel-alliance? dept.

Spam 14

An anonymous reader writes A team of researchers at the UC Santa Barbara and RWTH Aachen presented new findings on the relationship of spam actors [abstract; full paper here] at the ACM Symposium on Information, Computer and Communications Security. This presents the first end-to-end analysis of the spam delivery ecosystem including: harvesters crawl the web and compile email lists, botmasters infect and operate botnets, and spammers rent botnets and buy email lists to run spam campaigns. Their results suggest that spammers develop a type of "customer loyalty"; spammers likely purchase preferred resources from actors that have "proven" themselves in the past. Previous work examined the market economy of the email address market in preparatory work: 1 million email addresses were offered on the examined forum for anywhere ranging between 20 and 40 Euros.

Book Review: Security Without Obscurity

samzenpus posted about 4 months ago | from the read-all-about-it dept.

Books 51

benrothke (2577567) writes Having worked at the same consulting firm and also on a project with author J.J. Stapleton (full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world. When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe. Keep reading for the rest of Ben's review.

EU, South Korea Collaborate On Superfast 5G Standards

samzenpus posted about 4 months ago | from the greased-lightning dept.

EU 78

jfruh writes The European Commission and the South Korean government announced that they will be harmonizing their radio spectrum policy in an attempt to help bring 5G wireless tech to market by 2020. While the technology is still in an embryonic state, but one South Korean researcher predicts it could be over a thousand times faster than current 4G networks.

Transforming the Web Into a Transparent 'HTTPA' Database

timothy posted about 4 months ago | from the security-still-needed-note dept.

Security 69

An anonymous reader writes MIT researchers believe the solution to misuse and leakage of private data is more transparency and auditability, not adding new layers of security. Traditional approaches make it hard, if not impossible, to share data for useful purposes, such as in healthcare. Enter HTTPA, HTTP with accountability.
From the article: "With HTTPA, each item of private data would be assigned its own uniform resource identifier (URI), a component of the Semantic Web that, researchers say, would convert the Web from a collection of searchable text files into a giant database. Every time the server transmitted a piece of sensitive data, it would also send a description of the restrictions on the data’s use. And it would also log the transaction, using the URI, in a network of encrypted servers."

Despite Project's Demise, Amazon Web Services Continues To Use TrueCrypt

timothy posted about 4 months ago | from the turning-a-ship-takes-a-while dept.

Data Storage 75

An anonymous reader writes with an article at InfoWorld that points out that TrueCrypt may have melted down as a project, but hasn't disappeared altogether: Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future. Infrastructure can be complex to upgrade; how long is reasonable?

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

timothy posted about 4 months ago | from the one-on-every-desktop dept.

Microsoft 250

alphadogg (971356) writes "Microsoft has been forced to start using its global stock of IPv4 addresses to keep its Azure cloud service afloat in the U.S., highlighting the growing importance of making the shift to IP version 6. The newer version of the Internet Protocol adds an almost inexhaustible number of addresses thanks to a 128-bit long address field, compared to the 32 bits used by version 4. The IPv4 address space has been fully assigned in the U.S., meaning there are no additional addresses available, Microsoft said in a blog post earlier this week. This requires the company to use the IPv4 address space available to it globally for new services, it said."

One Developer's Experience With Real Life Bitrot Under HFS+

timothy posted about 4 months ago | from the so-really-it's-both-plus-and-minus dept.

Bug 396

New submitter jackjeff (955699) writes with an excerpt from developer Aymeric Barthe about data loss suffered under Apple's venerable HFS+ filesystem. HFS+ lost a total of 28 files over the course of 6 years. Most of the corrupted files are completely unreadable. The JPEGs typically decode partially, up to the point of failure. The raw .CR2 files usually turn out to be totally unreadable: either completely black or having a large color overlay on significant portions of the photo. Most of these shots are not so important, but a handful of them are. One of the CR2 files in particular, is a very good picture of my son when he was a baby. I printed and framed that photo, so I am glad that I did not lose the original. (Barthe acknowledges that data loss and corruption certainly aren't limited to HFS+; "bitrot is actually a problem shared by most popular filesystems. Including NTFS and ext4." I wish I'd lost only 28 files over the years.)

Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices

Soulskill posted about 4 months ago | from the 40-year-old-technology-will-save-us dept.

Security 142

wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.

European iPhone Chargers Prone To Overheating

Soulskill posted about 4 months ago | from the marketed-as-the-only-incendiary-device-you'll-ever-need dept.

Bug 128

jones_supa sends word that Apple has launched an exchange program for European iPhone USB power adapters. The company says its A1300 adapters were bundled with the iPhone 3GS, iPhone 4, and iPhone 4S models, and were also sold on their own from Oct. 2009 to Sept. 2012. The reason for the recall is that the adapters "may overheat and pose a safety risk." No further details are provided (a YouTube video shows a teardown of the device).

Man Behind Hacks of Bush Family and Other Celebs Indicted In the US

Soulskill posted about 4 months ago | from the bet-you-wish-you'd-stood-in-bed dept.

Crime 65

New submitter criticalmass24 writes: 42-year-old Marcel Lehel Lazar, better known as Guccifer, the hacker that gained unauthorized access to email and social network accounts of high-profile public figures, has been charged in the United States. According to the Department of Justice, "[F]rom December 2012 to January 2014, Lazar hacked into the e-mail and social media accounts of high-profile victims, including a family member of two former U.S. presidents, a former U.S. Cabinet member, a former member of the U.S. Joint Chiefs of Staff, and a former presidential adviser. After gaining unauthorized access to their e-mail and social media accounts, Lazar publicly released his victims’ private e-mail correspondence, medical and financial information, and personal photographs. The indictment also alleges that in July and August 2013, Lazar impersonated a victim after compromising the victim’s account." The full indictment can be read online.

AT&T Says Customer Data Accessed To Unlock Smartphones

Soulskill posted about 4 months ago | from the another-day-another-breach dept.

AT&T 65

itwbennett writes: Personal information, including Social Security numbers and call records, was accessed for an unknown number of AT&T Mobility customers by people outside of the company, AT&T has confirmed. The breach took place between April 9-21, but was only disclosed this week in a filing with California regulators. While AT&T wouldn't say how many customers were affected, state law requires such disclosures if an incident affects at least 500 customers in California.

The Computer Security Threat From Ultrasonic Networks

timothy posted about 4 months ago | from the why-your-bats-are-going-crazy dept.

Security 121

KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.

Cybercriminals Ramp Up Activity Ahead of 2014 World Cup

samzenpus posted about 4 months ago | from the crime-wave dept.

Crime 90

wiredmikey (1824622) writes With the FIFA World Cup 2014 kicking off this week in Brazil, cybercriminals and scammers are working hard to take advantage of visitors to the World Cup in Brazil and those following the world soccer tournament online. In recent months, several security vendors have published advisories about the various scams, phishing and malware operations that target Internet users interested in the World Cup. While individuals from all over the world have been targeted, many of the malicious campaigns focus on Brazil and neighboring South American countries. While news that cybercriminals are zoning in on a large global event is no surprise, the scale and tactics being used is quite wide in scope, ranging from malware distribution and phishing scams, to fraudulent ticket sales, spam and other promising yet fraudulent schemes.For those visiting Brazil to watch the games in person, the cyber threats also include rogue wireless access points, ATMs rigged with card skimmers and Point-of-Sale malware.

TweetDeck Hacked

samzenpus posted about 4 months ago | from the have-a-heart dept.

Security 19

redletterdave (2493036) writes TweetDeck, Twitter's tool for real-time tracking and engagement of posts, was found to be vulnerable to cross-site scripting (XSS), a type of computer vulnerability commonly found in web applications that allows hackers to inject script into webpages to access user accounts and important security information. As a result of the hack, a tweet with an emoticon heart is being shared more than 38,000 times — automatically.

New Permission System Could Make Android Much Less Secure

Soulskill posted about 4 months ago | from the this-app-is-requesting-permission-to-shock-you-with-a-tazer dept.

Android 249

capedgirardeau writes: An update to the Google Play store now groups app permissions into collections of related permissions, making them much less fine grained and potentially misleading for users. For example, the SMS permissions group would allow an app access to both reading and sending SMS messages. The problem is that once an app has access to the group of permissions, it can make use of any of the allowed actions at any time without ever informing the user. As Google explains: "It's a good idea to review permissions groups before downloading an app. Once you've allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won't need to manually approve individual permissions updates that belong to a permissions group you've already accepted."

Project Un1c0rn Wants To Be the Google For Lazy Security Flaws

Unknown Lamer posted about 4 months ago | from the always-blame-wordpress dept.

Security 43

Daniel_Stuckey (2647775) writes "Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. Think of Project Un1c0rn as a Google for site security. Launched on May 15th, the site's creators say that so far it has indexed 59,000 websites and counting. The goal, according to its founders, is to document open leaks caused by the Heartbleed bug, as well as 'access to users' databases' in Mongo DB and MySQL. According to the developers, those three types of vulnerabilities are most widespread because they rely on commonly used tools. For example, Mongo databases are used by popular sites like LinkedIn, Expedia, and SourceForge, while MySQL powers applications such as WordPress, Drupal or Joomla, and are even used by Twitter, Google and Facebook."

Cisco Opposes Net Neutrality

Soulskill posted about 4 months ago | from the noted-and-filed dept.

Networking 337

angry tapir writes: All bits running over the Internet are not equal and should not be treated that way by broadband providers, despite net neutrality advocates' calls for traffic neutral regulations, Cisco Systems has said. Some Web-based applications, including rapidly growing video services, home health monitoring and public safety apps, will demand priority access to the network, while others, like most Web browsing and email, may live with slight delays, said Jeff Campbell, Cisco's vice president for government and community relations. "Different bits do matter differently. We need to ensure that we have a system that allows this to occur."

Credit Card Breach At P.F. Chang's

Soulskill posted about 4 months ago | from the another-day-another-breach dept.

Security 117

schwit1 tips a post by Brian Krebs saying that P.F. Chang's China Bistro, a nationwide restaurant chain, is the latest victim of a massive data breach. The company is currently investigating. Krebs writes: On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang's locations between the beginning of March 2014 and May 19, 2014. ... The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).

Firefox 30 Available, Firebug 2.0 Released

Soulskill posted about 4 months ago | from the 30-is-over-the-hill dept.

Firefox 270

Today Mozilla made Firefox 30 available, a relatively minor release after the massive redesign in version 29. According to the changelog, new features include VP9 video decoding, support for Opus in WebM, and horizontal volume control for HTML5 video and audio. Developers got support for multi-line flexboxes and hang reporting for background threads. There were also a number of security fixes. The Android version of Firefox received better support for native text selection, cutting, and copying, as well as predictive lookup for Awesomebar entries. The availability of Firefox 30 coincides with the launch of Firebug 2.0, which features an updated UI and a new debugging engine called JSD2. Significant new features include JavaScript syntax highlighting and de-minifying, improved code auto-complete, and the capability to hide or show individual Firebug panels.

Auditors Release Verified Repositories of TrueCrypt

Soulskill posted about 4 months ago | from the still-not-sure-what's-going-on dept.

Encryption 146

Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.

The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.

NSA's Novel Claim: Our Systems Are Too Complex To Obey the Law

timothy posted about 4 months ago | from the complex-simple-same-thing dept.

Electronic Frontier Foundation 245

Reader Bruce66423 (1678196) points out skeptical-sounding coverage at the Washington Post of the NSA's claim that it can't hold onto information it collects about users' online activity long enough for it to be useful as evidence in lawsuits about the very practice of that collection. From the article: 'The agency is facing a slew of lawsuits over its surveillance programs, many launched after former NSA contractor Edward Snowden leaked information on the agency's efforts last year. One suit that pre-dates the Snowden leaks, Jewel v. NSA, challenges the constitutionality of programs that the suit allege collect information about Americans' telephone and Internet activities. In a hearing Friday, U.S. District for the Northern District of California Judge Jeffrey S. White reversed an emergency order he had issued earlier the same week barring the government from destroying data that the Electronic Frontier Foundation had asked be preserved for that case. The data is collected under Section 702 of the Amendments Act to the Foreign Intelligence Surveillance Act. But the NSA argued that holding onto the data would be too burdensome. "A requirement to preserve all data acquired under section 702 presents significant operational problems, only one of which is that the NSA may have to shut down all systems and databases that contain Section 702 information," wrote NSA Deputy Director Richard Ledgett in a court filing submitted to the court. The complexity of the NSA systems meant preservation efforts might not work, he argued, but would have "an immediate, specific, and harmful impact on the national security of the United States.' Adds Bruce66423: "This of course implies that they have no backup system — or at least that the backup are not held for long."

Grand Theft Auto V For Modern Platforms Confirmed

timothy posted about 4 months ago | from the spree-killing-for-everyone dept.

Graphics 133

jones_supa (887896) writes 'Since the release of the extremely successful Grand Theft Auto V on PlayStation 3 and Xbox 360, rumors about PC — and later also an Xbox One and PlayStation 4 — version have been floating around. Now it's official: Grand Theft Auto V will be released on Windows PC and Xbox One, in addition to PlayStation 4, this fall, publisher Rockstar Games announced today with a trailer. A post on Rockstar Newswire tells us that the ports will offer visual and technical improvements such as "increased draw distances, finer texture details, denser traffic and enhanced resolutions." All of the new GTA Online content that has been created and released since launch will be available also on the modern platforms. The PC version will exclusively include a video editor to allow players to put together their own clips of in-game action.'

Britain Gets National .uk Web Address

timothy posted about 4 months ago | from the actually-top-level dept.

The Internet 111

hypnosec (2231454) writes 'Starting today businesses and individuals in the UK will be able to register a new national web address (".uk") and drop their existing ".co.uk" or ".com" suffix in favour of a shorter and snappier domain name. The entire process along with the transition is being overseen by private yet not-for-profit organisation Nominet, which has already started notifying existing customers with a ".co.uk" domain of their chance to adopt a ".uk" domain. Nominet will reserve all ".uk" domain names, which already have a ".co.uk" counterparts, for the next five years offering registrants the chance to adopt the new domain and to keep cyber squatters at bay.'

iOS 8 Strikes an Unexpected Blow Against Location Tracking

Unknown Lamer posted about 4 months ago | from the waiting-for-obvious-patents dept.

IOS 323

schwit1 (797399) writes 'It wasn't touted onstage, but a new iOS 8 feature is set to cause havoc for location trackers, and score a major win for privacy.As spotted by Frederic Jacobs, the changes have to do with the MAC address used to identify devices within networks. When iOS 8 devices look for a connection, they randomize the MAC address, effectively disguising any trace of the real device until it decides to connect to a network.'

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

samzenpus posted about 4 months ago | from the protect-ya-neck dept.

Security 378

An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"

Did Russia Trick Snowden Into Going To Moscow?

samzenpus posted about 4 months ago | from the can-we-give-you-a-ride? dept.

United States 346

An anonymous reader writes "Ex-KGB Major Boris Karpichko says that spies from Russia's SVR intelligence service, posing as diplomats in Hong Kong, convinced Snowden to fly to Moscow last June. 'It was a trick and he fell for it,' Karpichko, who reached the rank of Major as a member of the KGB's prestigious Second Directorate while specializing in counter-intelligence, told Nelson. 'Now the Russians are extracting all the intelligence he possesses.'"

Tesla Makes Improvements To Model S

samzenpus posted about 4 months ago | from the better-and-better dept.

Transportation 136

An anonymous reader writes "In a lull between product launches Tesla intends to keep making improvements to the Model S according to Elon Musk. Tesla will automatically push software to the Model S fleet that will help the car learn the driver's habits and the navigation system will offer directions to avoid traffic jams. 'This year, Tesla is offering only the single model, the Model S that is EPA rated at up to 265 miles on a single charge, the most of any electric car. The company's next model won't come until next year, when the delayed Model X crossover goes on sale. Musk says the holdup has centered on making sure its signature design element, gullwing doors to make it easier to get in the rear, works properly and is leak-proof. "Getting the door right is extremely difficult," he says.'"

After the Belfast Project Fiasco, Time For Another Look At Time Capsule Crypto?

samzenpus posted about 4 months ago | from the time-after-time dept.

Encryption 170

JonZittrain (628028) writes "I'm curious whether there are good prospects for 'time capsule encryption,' one of several ways of storing information that renders it inaccessible to anyone until certain conditions — such as the passage of time — are met? Libraries and archives could offer such technology as part of accepting papers and manuscripts, especially in the wake of the 'Belfast Project' situation, where a library promised confidentiality for accounts of the Troubles in North Ireland, and then found itself amidst subpoenas from law enforcement looking to solve long-cold cases. But the principle could apply to any person or company thinking that there's a choice between leaving information exposed to leakage, or destroying it entirely. Some suggested solutions are very much out of the box."

IPMI Protocol Vulnerabilities Have Long Shelf Life

samzenpus posted about 4 months ago | from the protect-ya-neck dept.

Security 62

msm1267 (2804139) writes "If enterprises are indeed moving services off premises and into the cloud, there are four letters those companies' IT organizations should be aware of: IPMI. Short for Intelligent Platform Management Interface, these tiny computers live as an embedded Linux system attached to the motherboards of big servers from vendors such as IBM, Dell and HP. IPMI is used by a Baseboard Management Controller (BMC) to manage Out-of-Band communication, essentially giving admins remote control over servers and devices, including memory, networking capabilities and storage. This is particularly useful for hosting providers and cloud services providers who must manage gear and data in varied locations.

Noted researchers Dan Farmer, creator of the SATAN vulnerability scanner, and HD Moore, creator of Metasploit, have been collaborating on research into the vulnerabilities present in IPMI and BMCs and the picture keeps getting uglier. Last July, Farmer and Moore published some research on the issue based upon work Farmer was doing under a DARPA Cyber Fast Track Grant that uncovered a host of vulnerabilities, and Internet-wide scans for the IPMI protocol conducted by Moore. Farmer released a paper called 'Sold Down the River,' in which he chastises big hardware vendors for ignoring security vulnerabilities and poor configurations that are trivial to find and exploit."

Millions of Smart TVs Vulnerable To 'Red Button' Attack

Soulskill posted about 4 months ago | from the red-buttons-are-scarier-than-blue-buttons dept.

Security 155

An anonymous reader writes "Researchers from Columbia University's Network Security Lab discovered a flaw affecting millions of Smart TVs supporting the HbbTV standard. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to interact with any website on their behalf — Academic paper available online."

Report: Watch Dogs Game May Have Influenced Highway Sign Hacking

Soulskill posted about 4 months ago | from the video-games-caused-the-holocaust dept.

Security 154

An anonymous reader writes 'Earlier this month, at least three U.S. states reported that a hacker had broken into electronic road signs above major highways, with the hacker leaving messages for people to follow him on Twitter. The Multi-State Information Sharing an Analysis Center (MS-ISAC) produced an intelligence report blaming a Saudi Arabian hacker that the organization says likely got the idea from Watch Dogs, a new video in which game play revolves around "hacking," with a focus on hacking critical infrastructure-based electronic devices in particular. "Watch Dogs allows players to hack electronic road signs, closed-circuit television cameras (CCTVs), street lights, cell phones and other systems. On May 27, 2014, the malicious actor posted an image of the game on his Twitter feed, demonstrating his interest in the game, and the compromise of road signs occurs during game play. CIS believes it is likely that a small percentage of Watch Dogs players will experiment with compromising computers and electronic systems outside of game play, and that this activity will likely affect SSLT [state, local, tribal and territorial] government systems and Department of Transportation (DOT) systems in particular." The signs allowed telnet and were secured with weak or default passwords. The report came out on the same day that The Homeland Security Department cautioned transportation operators about a security hole in some electronic freeway billboards that could let hackers display bogus warnings to drivers.'

Microsoft Fixing Windows 8 Flaws, But Leaving Them In Windows 7

Soulskill posted about 4 months ago | from the probably-not-fixing-them-in-win-95-either dept.

Windows 218

mask.of.sanity sends this news from El Reg: "Microsoft has left Windows 7 exposed by only applying security upgrades to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries using a custom diffing tool and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities. The missing safe functions were part of Microsoft's dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks. [Video, slides.]"

Intel Core i7-4790K Devil's Canyon Increases Clocks By 500 MHz, Lowers Temps

timothy posted about 4 months ago | from the free-lunch dept.

Intel 57

Vigile (99919) writes "Since the introduction of Intel's Ivy Bridge processors there was a subset of users that complained about the company's change of thermal interface material between the die and the heat spreader. With the release of the Core i7-4790K, Intel is moving to a polymer thermal interface material that claims to improve cooling on the Haswell architecture, along with the help of some added capacitors on the back of the CPU. Code named Devil's Canyon, this processor boosts stock clocks by 500 MHz over the i7-4770K all for the same price ($339) and lowers load temperatures as well. Unfortunately, in this first review at PC Perspective, overclocking doesn't appear to be improved much."

Whom Must You Trust?

Soulskill posted about 5 months ago | from the mainly-just-late-night-infomercial-spokepeople dept.

Crime 120

CowboyRobot writes: 'In ACM's Queue, Thomas Wadlow argues that "Whom you trust, what you trust them with, and how much you trust them are at the center of the Internet today." He gives a checklist of what to look for when evaluating any system for trustworthiness, chock full of fascinating historical examples. These include NASA opting for a simpler, but more reliable chip; the Terry Childs case; and even an 18th century "semaphore telegraph" that was a very early example of steganographic cryptography. From the article: "Detecting an anomaly is one thing, but following up on what you've detected is at least as important. In the early days of the Internet, Cliff Stoll, then a graduate student at Lawrence Berkeley Laboratories in California, noticed a 75-cent accounting error on some computer systems he was managing. Many would have ignored it, but it bothered him enough to track it down. That investigation led, step by step, to the discovery of an attacker named Markus Hess, who was arrested, tried, and convicted of espionage and selling information to the Soviet KGB."'

How FBI Informant Sabu Helped Anonymous Hack Brazil

samzenpus posted about 5 months ago | from the working-for-the-man dept.

United States 59

Daniel_Stuckey (2647775) writes 'A year after leaked files exposed the National Security Agency's efforts to spy on citizens and companies in Brazil, previously unpublished chat logs obtained by Motherboard reveal that while under the FBI's supervision, Hector Xavier Monsegur, widely known by his online persona, "Sabu," facilitated attacks that affected Brazilian websites.The operation raises questions about how the FBI uses global Internet vulnerabilities during cybercrime investigations, how it works with informants, and how it shares information with other police and intelligence agencies.

After his arrest in mid-2011, Monsegur continued to organize cyber attacks while working for the FBI. According to documents and interviews, Monsegur passed targets and exploits to hackers to disrupt government and corporate servers in Brazil and several other countries. Details about his work as a federal informant have been kept mostly secret, aired only in closed-door hearings and in redacted documents that include chat logs between Monsegur and other hackers. The chat logs remain under seal due to a protective order upheld in court, but in April, they and other court documents were obtained by journalists at Motherboard and the Daily Dot.'

A Year After Snowden's Disclosures, EFF, FSF Want You To Fight Surveillance

timothy posted about 5 months ago | from the why-make-it-easy-for-'em? dept.

Electronic Frontier Foundation 108

Today, as the EFF notes, marks one year from Edward Snowden's first document leaks, and the group is using that as a good spur to install free software intended to make it harder for anyone (the NSA is certainly not the first, and arguably far from the worst) to spy on your electronic communications. Nowadays, that means nearly everything besides face-to-face communication, or paper shipped through the world's postal systems. Reader gnujoshua (540710) highlights one of the options: 'The FSF has published a (rather beautiful) infographic and guide to encrypting your email using GnuPG. In their blog post announcing the guide they write: "One year ago today, an NSA contractor named Edward Snowden went public with his history-changing revelations about the NSA's massive system of indiscriminate surveillance. Today the FSF is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder.'" Serendipitous timing: a year and a day ago, we mentioned a UN report that made explicit the seemingly obvious truth that undue government surveillance, besides being an affront in itself, chills free speech. (Edward Snowden agrees.)

Microsoft Confirms Disconnecting Kinect Gives Devs 10% More GPU Horsepower

timothy posted about 5 months ago | from the remove-airbags-install-rollcage dept.

XBox (Games) 174

MojoKid (1002251) writes 'Microsoft confirmed a development rumor that's been swirling around its next-generation console ever since it announced Kinect would become an optional add-on rather than a mandatory boat anchor. Lifting that requirement will give game developers 10 percent additional graphics power to play with and help close the gap between the Xbox One and PS4. The story kicked off when Xbox head Phil Spencer tweeted that June's Xbox One dev kit gave devs access to more GPU bandwidth. Further, another Microsoft representative then confirmed that the performance improvement coming in the next version of the Xbox SDK was the result of making Kinect an optional accessory. No matter how Microsoft may try to spin it, cancelling Kinect isn't just a matter of giving game developers freedom, it's a tacit admission that game developers have no significant projects in play that are expected to meaningfully tap Kinect to deliver a great game experience — and they need those GPU cycles back.' Also on the Xbox capabilities front: Reader BogenDorpher (2008682) writes 'In August of last year, a Microsoft spokesman confirmed that the Xbox One controller will be compatible for PC users sometime in 2014. That time has finally come. Windows gamers can now use the Xbox One controller to play games on their computer. If a game supports a USB gamepad or the Xbox 360 controller, it will also support the Xbox One controller.'

New OpenSSL Man-in-the-Middle Flaw Affects All Clients

timothy posted about 5 months ago | from the disclosure-of-diclosure dept.

Security 217

Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'

SpaceX Landing Video Cleanup Making Progress

timothy posted about 5 months ago | from the from-worse-to-bad dept.

Bug 54

Maddog Batty (112434) writes 'The fine people at the NASA Space Flight Forum are making good progress on restoring the corrupted landing video reported earlier. It worth looking at the original video to see how bad it was and then at the latest restored video. It is now possible to see the legs being deployed, the sea coming closer and a big flame ball as the rocket plume hits the water. An impressive improvement so far and it is still being actively worked on so further refinements are likely.' Like Maddog Batty, I'd suggest watching the restored version first (note: the video is lower on the page), to see just what a big improvement's been made so far.

Life Sentences For Serious Cyberattacks Proposed In Britain

samzenpus posted about 5 months ago | from the do-not-pass-go dept.

United Kingdom 216

Bismillah (993337) writes 'The British government wants life in prison for hackers who cause disruption to computer networks, resulting in loss of life or threat to the country's national security. From the article: "The UK government will seek to amend the 1990 Computer Misuse Act "to ensure sentences for attacks on computer systems fully reflect the damage they cause. Currently, the law provides for a maximum sentence of ten years' imprisonment for those who commit the offence of impairing a computer. A new, aggravated offence of unauthorised access to a computer will be introduced into the Computer Misuse Act by the government, carrying far longer sentences."'

DARPA's Cyber Grand Challenge Offers $3.75 Million In Prizes

Unknown Lamer posted about 5 months ago | from the and-a-trip-to-gitmo dept.

Security 10

An anonymous reader writes "Computer security experts from academia, industry and the larger security community have organized themselves into more than 30 teams to compete in DARPA's Cyber Grand Challenge, a tournament designed to speed the development of automated security systems able to defend against cyberattacks as fast as they are launched. The Challenge plans to follow a 'capture the flag' competition format that experts have used for more than 20 years to test their cyber defense skills. The winning team from the CGC finals stands to receive a cash prize of $2 million. Second place can earn $1 million and third place $750,000."

Google Announces 'End-To-End' Encryption Extension For Chrome

Soulskill posted about 5 months ago | from the wouldn't-beginning-to-end-work-better dept.

Chrome 100

Nexus Unplugged (2495076) writes 'On their security blog today, Google announced a new Chrome extension called "End-To-End" intended to make browser-based encryption of messages easier for users. The extension, which was rumored to be "underway" a couple months ago, is currently in an "alpha" version and is not yet available pre-packaged or in the Chrome Web Store. It utilizes a Javascript implementation of OpenPGP, meaning that your private keys are never sent to Google. However, if you'd like to use the extension on multiple machines, its keyring is saved in localStorage, which can be encrypted with a passphrase before being synced. The extension still qualifies for Google's Vulnerability Reward Program, and joins a host of PGP-related extensions already available for Chrome.' Google also published a report showing how much email is encrypted in transit between Gmail addresses and those from other providers.

Tech Worker Groups Boycott IBM, Infosys, Manpower

Soulskill posted about 5 months ago | from the can't-we-all-just-get-along dept.

IBM 234

itwbennett writes: "Three U.S. tech worker groups have launched a labor boycott of IBM, Infosys and Manpower, saying the companies have engaged in a pattern that discourages U.S. workers from applying for U.S. IT jobs by tailoring employment ads toward overseas workers. For its part, Infosys disputed the charges, saying that 'it is incorrect to allude that we exclude or discourage U.S. workers. Today, we are recruiting for over 440 active openings across 20 states in the U.S.' Representatives from IBM and Manpower didn't respond to requests for comment on the boycott."

GnuTLS Flaw Leaves Many Linux Users Open To Attacks

Soulskill posted about 5 months ago | from the with-many-eyes-all-maintainers-are-grumpy dept.

Encryption 127

A new flaw has been discovered in the GnuTLS cryptographic library that ships with several popular Linux distributions and hundreds of software implementations. According to the bug report, "A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code." A patch is currently available, but it will take time for all of the software maintainers to implement it. A lengthy technical analysis is available. "There don't appear to be any obvious signs that an attack is under way, making it possible to exploit the vulnerability in surreptitious "drive-by" attacks. There are no reports that the vulnerability is actively being exploited in the wild."

Bill Blunden's Rejected DEF CON Presentation Posted Online

timothy posted about 5 months ago | from the what-I-was-going-to-say dept.

China 40

Nicola Hahn (1482985) writes "Though the Review Board at DEF CON squelched Bill Blunden's presentation on Chinese cyber-espionage, and the U.S. government has considered imposing visa restrictions to keep out Chinese nationals, Bill has decided to post both the presentation's slide deck and its transcript online. The talk focuses on Mike Rogers, in all his glory, a former FBI agent who delivers a veritable litany of hyperbolic misstatements (likely to be repeated endlessly on AM radio). Rather than allow the DEFCON Review Board to pass judgement as supposed .gov 'experts,' why not allow people to peruse the material and decide for themselves who is credible and who is not?" "Squelched" seems a little harsh (only so many talks can fit, and there's no accounting for taste), but it's certainly good to see any non-accepted DEF CON presentations made public.

Intel Announces Devil's Canyon Core I7-4790K: 4GHz Base Clock, 4.4GHz Turbo

timothy posted about 5 months ago | from the let-the-bleeding-edge-do-the-bleeding dept.

Intel 157

MojoKid (1002251) writes "Last year, Intel launched two new processor families based on the Haswell and Ivy Bridge-E based Core i7 architecture. Both chips were just incremental updates over their predecessors. Haswell may have delivered impressive gains in mobile, but it failed to impress on the desktop where it was only slightly faster than the chip it replaced. Enthusiasts weren't terribly excited about either core but Intel is hoping its new Devil's Canyon CPU, which launches today, will change that. The new chip is the Core i7-4790K and it packs several new features that should appeal to the enthusiast and overclocking markets. First, Intel has changed the thermal interface material from the paste it used in the last generation over to a new Next Generation Polymer Thermal Interface Material, or as Intel calls it, "NGPTIM." Moving Haswell's voltage regulator on-die proved to be a significant problem for overclockers since it caused dramatic heat buildup that was only exacerbated by higher clock speeds. Overclockers reported that removing Haswell's lid could boost clock speeds by several hundred MHz. The other tweak to the Haswell core is a great many additional capacitors, which have been integrated to smooth power delivery at higher currents. This new chip gives Haswell a nice lift. If the overclocking headroom delivers on top of that, enthusiasts might be able to hit 4.7-4.8GHz on standard cooling."

Slashdot Login

Need an Account?

Forgot your password?