Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Security Industry Is Failing Miserably At Fixing Underlying Dangers

Soulskill posted about 2 months ago | from the closing-the-barn-door dept.

Security 205

cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.

Why Software Builds Fail

Soulskill posted about 2 months ago | from the failure-to-bribe-the-hamster dept.

Bug 279

itwbennett writes: A group of researchers from Google, the Hong Kong University of Science and Technology and the University of Nebraska undertook a study of over 26 million builds by 18,000 Google engineers from November 2012 through July 2013 to better understand what causes software builds to fail and, by extension, to improve developer productivity. And, while Google isn't representative of every developer everywhere, there are a few findings that stand out: Build frequency and developer (in)experience don't affect failure rates, most build errors are dependency-related, and C++ generates more build errors than Java (but they're easier to fix).

Trivial Bypass of PayPal Two-Factor Authentication On Mobile Devices

Unknown Lamer posted about 2 months ago | from the just-turn-it-off dept.

Security 47

chicksdaddy (814965) writes "According to DUO, PayPal's mobile app doesn't yet support Security Key and displays an error message to users with the feature enabled when they try to log in to their PayPal account from a mobile device, terminating their session automatically. However, researchers at DUO noticed that the PayPal iOS application would briefly display a user's account information and transaction history prior to displaying that error message and logging them out. ... The DUO researchers investigated: intercepting and analyzing the Web transaction between the PayPal mobile application and PayPal's back end servers and scrutinizing how sessions for two-factor-enabled accounts versus non-two-factor-enabled accounts were handled. They discovered that the API uses the OAuth technology for user authentication and authorization, but that PayPal only enforces the two-factor requirement on the client — not on the server." The attack worked simply by intercepting a server response and toggling a flag (2fa_enabled) from true to false. After being alerted, PayPal added a workaround to limit the scope of the hole. Update: 06/26 00:42 GMT by T : (Get the story straight from the source: Here's the original report from DUO.)

Google I/O 2014 Begins [updated]

samzenpus posted about 2 months ago | from the hot-off-the-presses dept.

Android 49

Google I/O, the company's annual developer tracking^wdevelopers conference, has opened today in San Francisco. This year the company has reduced the number of conference sessions to 80, but also promised a broader approach than in previous years -- in other words, there may be a shift in focus a bit from Google's best known platforms (Chrome/Chrome OS and Android). Given its wide-ranging acquisitions and projects (like the recent purchase of Nest, which itself promptly bought Dropcam, the ever smarter fleet of self-driving cars, the growing number of Glass devices in the wild, and the announcement of a 3D scanning high end tablet quite unlike the Nexus line of tablets and phones), there's no shortage of edges to focus on. Judging from the booths set up in advance of the opening (like one with a sign announcing "The Physical Web," expect some of the stuff that gets lumped into "the Internet of Things." Watch this space -- updates will appear below -- for notes from the opening keynote, or follow along yourself with the live stream, and add your own commentary in the comments. In the days to come, watch for some video highlights of projects on display at I/O, too. Update: 06/25 17:41 GMT by T : Updates rolling in below on Android, wearables, Android in cars, Chromecast, smart watches, etc.Keep checking back! (Every few minutes, I get another chunk in there.)

Banking Fraud Campaign Steals 500k Euros In a Week

Unknown Lamer posted about 2 months ago | from the red-stapler dept.

Security 35

An anonymous reader writes The experts at Kaspersky Lab have discovered evidence of a targeted attack against the clients of a large European bank. According to the logs found in the server used by the attackers, apparently in the space of just one week cybercriminals stole more than half a million euros from accounts in the bank. The experts also detected transaction logs on the server, containing information about which sums of money were taken from which accounts. All in all, more than 190 victims could be identified, most of them located in Italy and Turkey. The sums stolen from each bank account, according to the logs, ranged between 1,700 to 39,000 euros.

Workaholism In America Is Hurting the Economy

Soulskill posted about 2 months ago | from the being-productive-vs.-looking-productive dept.

Businesses 710

An anonymous reader writes Work/life balance is a constant problem in the tech industry. Even though experienced and mature engineers have been vocal in fighting it, every new generation buys into the American cultural identity of excessive work being a virtue. Each generation suffers for it, and the economy does, too. This article backs up that wisdom with hard numbers: "The 40-hour workweek is mostly a thing of the past. Ninety-four percent of professional workers put in 50 or more hours, and nearly half work 65 or above. All workers have managed to cut down on our time on the job by 112 hours over the last 40 years, but we're far behind other countries: The French cut down by 491 hours, the Dutch by 425, and Canadians by 215 in the same time period. ... This overwork shows up in our sleep. Out of five developed peers, four other countries sleep more than us. That has again worsened over the years. In 1942, more than 80 percent of Americans slept seven hours a night or more. Today, 40 percent sleep six hours or less. A lack of sleep makes us poorer workers: People who sleep less than seven hours a night have a much harder time concentrating and getting work done."

They're Spying On You: Hacking Team Mobile Malware, Infrastructure Uncovered

timothy posted about 2 months ago | from the leviathan-has-a-posse dept.

Government 48

msm1267 (2804139) writes Controversial spyware commercially developed by Italy's Hacking Team and sold to governments and law enforcement for the purpose of surveillance has a global command and control infrastructure. For the first time, security experts have insight into how its mobile malware components work. Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Monk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting Hacking Team's Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices. Adds reader Trailrunner7: [T]he report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices. The new modules enable governments and law enforcement officers with extensive monitoring capabilities over victims, including the ability to report on their location, steal data from their device, use the device's microphone in real time, intercept voice and SMS messages sent via applications such as Skype, WhatsApp, Viber, and much more.

Improperly Anonymized Logs Reveal Details of NYC Cab Trips

Unknown Lamer posted about 2 months ago | from the check-your-proof dept.

Math 192

mpicpp (3454017) writes with news that a dump of fare logs from NYC cabs resulted in trip details being leaked thanks to using an MD5 hash on input data with a very small key space and regular format. From the article: City officials released the data in response to a public records request and specifically obscured the drivers' hack license numbers and medallion numbers. ... Presumably, officials used the hashes to preserve the privacy of individual drivers since the records provide a detailed view of their locations and work performance over an extended period of time.

It turns out there's a significant flaw in the approach. Because both the medallion and hack numbers are structured in predictable patterns, it was trivial to run all possible iterations through the same MD5 algorithm and then compare the output to the data contained in the 20GB file. Software developer Vijay Pandurangan did just that, and in less than two hours he had completely de-anonymized all 173 million entries.

Court Releases DOJ Memo Justifying Drone Strike On US Citizen

samzenpus posted about 2 months ago | from the new-rules dept.

United States 371

An anonymous reader writes in with news that the memo presenting a case for killing Anwar al-Awlaki has been released thanks to a Freedom of Information Act lawsuit. The U.S. Court of Appeals for the Second Circuit on Monday released a secret 2010 Justice Department memo justifying the killing of Anwar al-Awlaki, a U.S citizen killed in a drone strike in 2011. The court released the document as part of a Freedom of Information Act lawsuit filed by The New York Times and the American Civil Liberties Union to make the document public. Then-acting Assistant Attorney General David Barron, in the partially redacted 41-page memo, outlines the justification of the drone strike in Yemen to take out al-Awlaki, an alleged operational leader of al Qaeda.

Over 300,000 Servers Remain Vulnerable To Heartbleed

samzenpus posted about 2 months ago | from the protect-ya-neck dept.

Security 74

An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."

Age Discrimination In the Tech Industry

Soulskill posted about 2 months ago | from the get-off-my-lawn dept.

Technology 370

Presto Vivace writes: Fortune has an article about increasingly overt age discrimination in the tech industry. Quoting: "It's a widely accepted reality within the technology industry that youth rules. But at least part of the extreme age imbalance can be traced back to advertisements for open positions that government regulators say may illegally discriminate against older applicants. Many tech companies post openings exclusively for new or recent college graduates, a pool of candidates that is overwhelmingly in its early twenties. ... 'In our view, it's illegal,' Raymond Peeler, senior attorney advisor at the Equal Employment Opportunity Commission, the federal agency that enforces workplace discrimination laws said about the use of 'new grad' and 'recent grad' in job notices. 'We think it deters older applicants from applying.'" Am I the only one who thinks many of the quality control issues and failed projects in the tech industry can be attributed to age discrimination?

Google Forks OpenSSL, Announces BoringSSL

Soulskill posted about 2 months ago | from the if-you-want-something-done-right dept.

Security 128

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

Open-Source NVIDIA Driver Steps Up Its Game & Runs Much Faster

timothy posted about 2 months ago | from the when-factors-combine dept.

Graphics 143

An anonymous reader writes "With the Linux 3.16 kernel the Nouveau driver now supports re-clocking for letting the NVIDIA GPU cores and video memory on this reverse-engineered NVIDIA driver run at their designed frequencies. Up to now the Nouveau driver has been handicapped to running at whatever (generally low) clock frequencies the video BIOS programmed the hardware to at boot time, but with Linux 3.16 is experimental support for up-clocking to the hardware-rated speeds. The results show the open-source NVIDIA driver running multiple times faster, but it doesn't work for all NVIDIA hardware, causes lock-ups for some GPUs at some frequencies, and isn't yet dynamically controlled. However, it appears to be the biggest break-through in years for this open-source NVIDIA driver that up to now has been too slow for most Linux games."

Supermicro Fails At IPMI, Leaks Admin Passwords

Soulskill posted about 2 months ago | from the bet-they-fix-it-now dept.

Security 102

drinkypoo writes: Zachary Wikholm of Security Incident Response Team (CARISIRT) has publicly announced a serious failure in IPMI BMC (management controller) security on at least 31,964 public-facing systems with motherboards made by SuperMicro: "Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152." These BMCs are running Linux 2.6.17 on a Nuvoton WPCM450 chip. An exploit will be rolled into metasploit shortly. There is already a patch available for the affected hardware.

Judge: $324M Settlement In Silicon Valley Tech Worker Case Not Enough

Soulskill posted about 2 months ago | from the good-news-for-the-lawyers dept.

Google 150

itwbennett writes: "A proposed $324.5 million settlement of claims that Silicon Valley companies (Adobe, Apple, Google, and Intel) suppressed worker wages by agreeing not to hire each others' employees may not be high enough, a judge signaled on Thursday. Judge Lucy Koh didn't say whether she would approve the settlement, but she did say in court that she was worried about whether that amount was fair to the roughly 64,000 technology workers represented in the case. Throughout Thursday's hearing, she questioned not just the amount but the logic behind the settlement as presented by lawyers for both the plaintiffs and the defendants."

German Intel Agency Helped NSA Tap Fiber Optic Cables In Germany

samzenpus posted about 2 months ago | from the no-i-in-team dept.

United States 103

An anonymous reader writes Der Spiegel has written a piece on the extent of collaboration between Germany's intelligence agency, Bundesnachrichtendienst (BND), and the U.S.'s National Security Agency (NSA). The sources cited in the piece do reveal BND's enthusiastic collusion in enabling the NSA to tap fiber optic cables in Germany, but they seem inconclusive as to how much information from the NSA's collection activity in the country is actually shared between the NSA and BND. Of note is evidence that the NSA's collection methods do not automatically exclude German companies and organizations from their data sweep; intelligence personnel have to rectro-actively do so on an individual basis when they realize that they are surveilling German targets. Germany's constitution protects against un-warranted surveillance of correspondence, either by post or telecommunications, of German citizens in Germany or abroad and foreigners on German soil.

Ask Slashdot: How To Bequeath Sensitive Information?

timothy posted about 2 months ago | from the and-to-my-terrrible-son-william dept.

Encryption 208

New submitter UrsaMajor987 (3604759) writes I recently retired after a long career in IT. I am not ready to kick the bucket quite yet, but having seen the difficulty created by people dying without a will and documenting what they have and where it is, I am busy doing just that. At the end of it all, I will have documentation on financial accounts, passwords, etc., which I will want to share with a few people who are pretty far away. I can always print a copy and have it delivered to them, but is there any way to share this sort of information electronically? There are lots of things to secure transmission of data, but once it arrives on the recipients' desktop, you run the risk of their system being compromised and exposing the data. Does anyone have any suggestions? Is paper still the most secure way to go?

Research Project Pays People To Download, Run Executables

timothy posted about 2 months ago | from the seller's-market dept.

Security 76

msm1267 (2804139) writes Incentivized by a minimal amount of cash, computer users who took part in a study were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment. The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users. The study was released recently in a paper called: "It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice." While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.

Intel To Offer Custom Xeons With Embedded FPGAs For the Data Center

timothy posted about 2 months ago | from the bitcoin-obviously dept.

Intel 80

MojoKid (1002251) writes For years, we've heard rumors that Intel was building custom chips for Google or Facebook, but these deals have always been assumed to work with standard hardware. Intel might offer a different product SKU with non-standard core counts, or a specific TDP target, or a particular amount of cache — but at the end of the day, these were standard Xeon processors. Today, it looks like that's changing for the first time — Intel is going to start embedding custom FPGAs into its own CPU silicon. The new FPGA-equipped Xeons will occupy precisely the same socket and platform as the standard, non-FPGA Xeons. Nothing will change on the customer front (BIOS updates may be required), but the chips should be drop-in compatible. The company has not stated who provided its integrated FPGA design, but Altera is a safe bet. The two companies have worked together on multiple designs and Altera (which builds FPGAs) is using Intel for its manufacturing. This move should allow Intel to market highly specialized performance hardware to customers willing to pay for it. By using FPGAs to accelerate certain specific types of workloads, Intel Xeon customers can reap higher performance for critical functions without translating the majority of their code to OpenCL or bothering to update it for GPGPU.

Malware Posing As Official Google Play Store Evades Most Security Checks

timothy posted about 2 months ago | from the ok-ok-using-ios-doesn't-count dept.

Android 100

DavidGilbert99 (2607235) writes Mobile malware on Android is nothing new, but now security company FireEye has discovered in the Google Play store a sophisticated piece of malware which is posing as....the official Google Play store. Using the same icon but a different name, the malware is not being detected by the vast majority of security vendors, is difficult to uninstall and steals your messages, security certificates and banking details.

TrueCrypt Author Claims That Forking Is Impossible

timothy posted about 2 months ago | from the it's-forking-impossible-man dept.

Encryption 250

An anonymous reader writes On a request from Matthew Green to fork the TrueCrypt code, the author answers that this is impossible. He says that this might be no good idea, because the code needs a rewrite, but he allows to use the existing code as a reference. "I am sorry, but I think what you're asking for here is impossible. I don't feel that forking TrueCrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn't require much more work than actually learning and understanding all of truecrypts current codebase. I have no problem with the source code being used as reference."

Restored Bletchly Park Opens

Unknown Lamer posted about 2 months ago | from the things-to-see dept.

United Kingdom 51

Graculus (3653645) writes with this excerpt from the BBC: Codebreakers credited with shortening World War Two worked in Bletchley Park, in structures built to last only a few years. Now, following a painstaking restoration, they have been brought back to life and Wednesday's official opening marks a remarkable turnaround from top secrecy to world wide attraction. With no photographs of the insides to work with, Bletchley Park looked to its most valuable resource — the veterans who worked there. A museum at the site has already been opened. The structures were once perilously close to being lost forever (until Google stepped in).

How Sabu Orchestrated the Hack of FBI Contractor ManTech

Unknown Lamer posted about 2 months ago | from the security-through-marketing dept.

Security 34

Daniel_Stuckey (2647775) writes Weeks after he started working quietly as an FBI informant, Hector Xavier Monsegur, known by his online alias "Sabu," led a cyber attack against one of the bureau's very own IT contractors. In July 2011, at Monsegur's urging, members of AntiSec, an offshoot of the hacking collective Anonymous, took advantage of compromised log-in credentials belonging to a contractor with a top secret security clearance employed at the time by ManTech International.

According to chat logs recorded by Monsegur at the behest of the FBI and obtained by Motherboard, the informant directed hackers to pilfer as much data as possible from ManTech's servers as investigators stood by. Stolen data was published as the third installment of AntiSec's ... collection of leaks intended to embarrass the same federal agency that presided over the hack and others.

Code Spaces Hosting Shutting Down After Attacker Deletes All Data

Unknown Lamer posted about 2 months ago | from the hackers-without-manners dept.

Security 387

An anonymous reader writes Code Spaces [a code hosting service] has been under DDOS attacks since the beginning of the week, but a few hours ago, the attacker managed to delete all their hosted customer data and most of the backups. They have announced that they are shutting down business. From the announcement: An unauthorized person who at this point who is still unknown (All we can say is that we have no reason to think its anyone who is or was employed with Code Spaces) had gained access to our Amazon EC2 control panel and had left a number of messages for us to contact them using a Hotmail address. Reaching out to the address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDOS.

At this point we took action to take control back of our panel by changing passwords, however the intruder had prepared for this and had already created a number of backup logins to the panel and upon seeing us make the attempted recovery of the account he proceeded to randomly delete artifacts from the panel.

Nokia Extorted For Millions Over Stolen Encryption Keys

Soulskill posted about 2 months ago | from the good-showing-all-around dept.

Cellphones 89

jppiiroinen writes: At the end of 2007, when Nokia still had huge market share with Symbian devices, they failed to disclose that somebody had stolen their encryption keys and extorted them for millions of Euros. The Finnish National Bureau of Investigation has not been able to figure out who did it. "The blackmailer had gotten hold of the Symbian encryption key used for signing. The code is a few kilobytes in size. Had the key been leaked, Nokia would not have been able to ensure that the phones accept only applications approved by the company."

Researchers Outline Spammers' Business Ecosystem

timothy posted about 3 months ago | from the is-that-enough-info-to-send-the-rebel-alliance? dept.

Spam 14

An anonymous reader writes A team of researchers at the UC Santa Barbara and RWTH Aachen presented new findings on the relationship of spam actors [abstract; full paper here] at the ACM Symposium on Information, Computer and Communications Security. This presents the first end-to-end analysis of the spam delivery ecosystem including: harvesters crawl the web and compile email lists, botmasters infect and operate botnets, and spammers rent botnets and buy email lists to run spam campaigns. Their results suggest that spammers develop a type of "customer loyalty"; spammers likely purchase preferred resources from actors that have "proven" themselves in the past. Previous work examined the market economy of the email address market in preparatory work: 1 million email addresses were offered on the examined forum for anywhere ranging between 20 and 40 Euros.

Book Review: Security Without Obscurity

samzenpus posted about 3 months ago | from the read-all-about-it dept.

Books 51

benrothke (2577567) writes Having worked at the same consulting firm and also on a project with author J.J. Stapleton (full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world. When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe. Keep reading for the rest of Ben's review.

Transforming the Web Into a Transparent 'HTTPA' Database

timothy posted about 3 months ago | from the security-still-needed-note dept.

Security 69

An anonymous reader writes MIT researchers believe the solution to misuse and leakage of private data is more transparency and auditability, not adding new layers of security. Traditional approaches make it hard, if not impossible, to share data for useful purposes, such as in healthcare. Enter HTTPA, HTTP with accountability.
From the article: "With HTTPA, each item of private data would be assigned its own uniform resource identifier (URI), a component of the Semantic Web that, researchers say, would convert the Web from a collection of searchable text files into a giant database. Every time the server transmitted a piece of sensitive data, it would also send a description of the restrictions on the data’s use. And it would also log the transaction, using the URI, in a network of encrypted servers."

Despite Project's Demise, Amazon Web Services Continues To Use TrueCrypt

timothy posted about 3 months ago | from the turning-a-ship-takes-a-while dept.

Data Storage 75

An anonymous reader writes with an article at InfoWorld that points out that TrueCrypt may have melted down as a project, but hasn't disappeared altogether: Importing and exporting data from Amazon Simple Storage Service still requires TrueCrypt, two weeks after the encryption software was discontinued ... Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future. Infrastructure can be complex to upgrade; how long is reasonable?

Microsoft Runs Out of US Address Space For Azure, Taps Its Global IPv4 Stock

timothy posted about 3 months ago | from the one-on-every-desktop dept.

Microsoft 250

alphadogg (971356) writes "Microsoft has been forced to start using its global stock of IPv4 addresses to keep its Azure cloud service afloat in the U.S., highlighting the growing importance of making the shift to IP version 6. The newer version of the Internet Protocol adds an almost inexhaustible number of addresses thanks to a 128-bit long address field, compared to the 32 bits used by version 4. The IPv4 address space has been fully assigned in the U.S., meaning there are no additional addresses available, Microsoft said in a blog post earlier this week. This requires the company to use the IPv4 address space available to it globally for new services, it said."

One Developer's Experience With Real Life Bitrot Under HFS+

timothy posted about 3 months ago | from the so-really-it's-both-plus-and-minus dept.

Bug 396

New submitter jackjeff (955699) writes with an excerpt from developer Aymeric Barthe about data loss suffered under Apple's venerable HFS+ filesystem. HFS+ lost a total of 28 files over the course of 6 years. Most of the corrupted files are completely unreadable. The JPEGs typically decode partially, up to the point of failure. The raw .CR2 files usually turn out to be totally unreadable: either completely black or having a large color overlay on significant portions of the photo. Most of these shots are not so important, but a handful of them are. One of the CR2 files in particular, is a very good picture of my son when he was a baby. I printed and framed that photo, so I am glad that I did not lose the original. (Barthe acknowledges that data loss and corruption certainly aren't limited to HFS+; "bitrot is actually a problem shared by most popular filesystems. Including NTFS and ext4." I wish I'd lost only 28 files over the years.)

Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices

Soulskill posted about 3 months ago | from the 40-year-old-technology-will-save-us dept.

Security 142

wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.

European iPhone Chargers Prone To Overheating

Soulskill posted about 3 months ago | from the marketed-as-the-only-incendiary-device-you'll-ever-need dept.

Bug 128

jones_supa sends word that Apple has launched an exchange program for European iPhone USB power adapters. The company says its A1300 adapters were bundled with the iPhone 3GS, iPhone 4, and iPhone 4S models, and were also sold on their own from Oct. 2009 to Sept. 2012. The reason for the recall is that the adapters "may overheat and pose a safety risk." No further details are provided (a YouTube video shows a teardown of the device).

Man Behind Hacks of Bush Family and Other Celebs Indicted In the US

Soulskill posted about 3 months ago | from the bet-you-wish-you'd-stood-in-bed dept.

Crime 65

New submitter criticalmass24 writes: 42-year-old Marcel Lehel Lazar, better known as Guccifer, the hacker that gained unauthorized access to email and social network accounts of high-profile public figures, has been charged in the United States. According to the Department of Justice, "[F]rom December 2012 to January 2014, Lazar hacked into the e-mail and social media accounts of high-profile victims, including a family member of two former U.S. presidents, a former U.S. Cabinet member, a former member of the U.S. Joint Chiefs of Staff, and a former presidential adviser. After gaining unauthorized access to their e-mail and social media accounts, Lazar publicly released his victims’ private e-mail correspondence, medical and financial information, and personal photographs. The indictment also alleges that in July and August 2013, Lazar impersonated a victim after compromising the victim’s account." The full indictment can be read online.

AT&T Says Customer Data Accessed To Unlock Smartphones

Soulskill posted about 3 months ago | from the another-day-another-breach dept.

AT&T 65

itwbennett writes: Personal information, including Social Security numbers and call records, was accessed for an unknown number of AT&T Mobility customers by people outside of the company, AT&T has confirmed. The breach took place between April 9-21, but was only disclosed this week in a filing with California regulators. While AT&T wouldn't say how many customers were affected, state law requires such disclosures if an incident affects at least 500 customers in California.

The Computer Security Threat From Ultrasonic Networks

timothy posted about 3 months ago | from the why-your-bats-are-going-crazy dept.

Security 121

KentuckyFC (1144503) writes Security researchers in Germany have demonstrated an entirely new way to attack computer networks and steal information without anybody knowing. The new medium of attack is ultrasonic sound. It relies on software that uses the built-in speakers on a laptop to broadcast at ultrasonic frequencies while nearby laptops listen out for the transmissions and pass them on, a set up known as a mesh network. The team has tested this kind of attack on a set of Lenovo T400 laptops infected with key-logging software. They say it is possible to transmit ultrasonic signals covertly at data rates of 20 bits per second at distances of up to 20 metres in an office environment. Interestingly, the team created the covert system by adapting a protocol designed for underwater acoustic communication. They've also tested various strategies for defeating this kind of attack. An obvious option is to disable all speakers and microphones but this also prevents ordinary activities such as VOIP communication. Instead, they suggest filtering the audio signals to prevent ultrasonic transmissions or converting them into an audible frequency. This may be newer than most attack vectors, but it's not the first time that ultrasonic transmission has been demonstrated as a vulnerability; in November of last year we mentioned malware operating along the same lines, as investigated byPwn2Own creator Dragos Ruiu.

Cybercriminals Ramp Up Activity Ahead of 2014 World Cup

samzenpus posted about 3 months ago | from the crime-wave dept.

Crime 90

wiredmikey (1824622) writes With the FIFA World Cup 2014 kicking off this week in Brazil, cybercriminals and scammers are working hard to take advantage of visitors to the World Cup in Brazil and those following the world soccer tournament online. In recent months, several security vendors have published advisories about the various scams, phishing and malware operations that target Internet users interested in the World Cup. While individuals from all over the world have been targeted, many of the malicious campaigns focus on Brazil and neighboring South American countries. While news that cybercriminals are zoning in on a large global event is no surprise, the scale and tactics being used is quite wide in scope, ranging from malware distribution and phishing scams, to fraudulent ticket sales, spam and other promising yet fraudulent schemes.For those visiting Brazil to watch the games in person, the cyber threats also include rogue wireless access points, ATMs rigged with card skimmers and Point-of-Sale malware.

TweetDeck Hacked

samzenpus posted about 3 months ago | from the have-a-heart dept.

Security 19

redletterdave (2493036) writes TweetDeck, Twitter's tool for real-time tracking and engagement of posts, was found to be vulnerable to cross-site scripting (XSS), a type of computer vulnerability commonly found in web applications that allows hackers to inject script into webpages to access user accounts and important security information. As a result of the hack, a tweet with an emoticon heart is being shared more than 38,000 times — automatically.

New Permission System Could Make Android Much Less Secure

Soulskill posted about 3 months ago | from the this-app-is-requesting-permission-to-shock-you-with-a-tazer dept.

Android 249

capedgirardeau writes: An update to the Google Play store now groups app permissions into collections of related permissions, making them much less fine grained and potentially misleading for users. For example, the SMS permissions group would allow an app access to both reading and sending SMS messages. The problem is that once an app has access to the group of permissions, it can make use of any of the allowed actions at any time without ever informing the user. As Google explains: "It's a good idea to review permissions groups before downloading an app. Once you've allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won't need to manually approve individual permissions updates that belong to a permissions group you've already accepted."

Project Un1c0rn Wants To Be the Google For Lazy Security Flaws

Unknown Lamer posted about 3 months ago | from the always-blame-wordpress dept.

Security 43

Daniel_Stuckey (2647775) writes "Following broad security scares like that caused by the Heartbleed bug, it can be frustratingly difficult to find out if a site you use often still has gaping flaws. But a little known community of software developers is trying to change that, by creating a searchable, public index of websites with known security issues. Think of Project Un1c0rn as a Google for site security. Launched on May 15th, the site's creators say that so far it has indexed 59,000 websites and counting. The goal, according to its founders, is to document open leaks caused by the Heartbleed bug, as well as 'access to users' databases' in Mongo DB and MySQL. According to the developers, those three types of vulnerabilities are most widespread because they rely on commonly used tools. For example, Mongo databases are used by popular sites like LinkedIn, Expedia, and SourceForge, while MySQL powers applications such as WordPress, Drupal or Joomla, and are even used by Twitter, Google and Facebook."

Cisco Opposes Net Neutrality

Soulskill posted about 3 months ago | from the noted-and-filed dept.

Networking 337

angry tapir writes: All bits running over the Internet are not equal and should not be treated that way by broadband providers, despite net neutrality advocates' calls for traffic neutral regulations, Cisco Systems has said. Some Web-based applications, including rapidly growing video services, home health monitoring and public safety apps, will demand priority access to the network, while others, like most Web browsing and email, may live with slight delays, said Jeff Campbell, Cisco's vice president for government and community relations. "Different bits do matter differently. We need to ensure that we have a system that allows this to occur."

Credit Card Breach At P.F. Chang's

Soulskill posted about 3 months ago | from the another-day-another-breach dept.

Security 117

schwit1 tips a post by Brian Krebs saying that P.F. Chang's China Bistro, a nationwide restaurant chain, is the latest victim of a massive data breach. The company is currently investigating. Krebs writes: On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang's locations between the beginning of March 2014 and May 19, 2014. ... The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example).

Firefox 30 Available, Firebug 2.0 Released

Soulskill posted about 3 months ago | from the 30-is-over-the-hill dept.

Firefox 270

Today Mozilla made Firefox 30 available, a relatively minor release after the massive redesign in version 29. According to the changelog, new features include VP9 video decoding, support for Opus in WebM, and horizontal volume control for HTML5 video and audio. Developers got support for multi-line flexboxes and hang reporting for background threads. There were also a number of security fixes. The Android version of Firefox received better support for native text selection, cutting, and copying, as well as predictive lookup for Awesomebar entries. The availability of Firefox 30 coincides with the launch of Firebug 2.0, which features an updated UI and a new debugging engine called JSD2. Significant new features include JavaScript syntax highlighting and de-minifying, improved code auto-complete, and the capability to hide or show individual Firebug panels.

Auditors Release Verified Repositories of TrueCrypt

Soulskill posted about 3 months ago | from the still-not-sure-what's-going-on dept.

Encryption 146

Trailrunner7 writes: As the uncertainty surrounding the end of TrueCrypt continues, members of the security community are working to preserve a known-good archive of the last version of the open source encryption software released before the developers inserted a warning about potential unfixed bugs in the software and ended development.

The message that the TrueCrypt posted about the security of the software also was included in the release of version 7.2a. The OCAP team decided to focus on version 7.1a and created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories. So the files are the same as the ones that were distributed as 7.1a. "These files were obtained last November in preparation for our audit, and match the hash reported by iSec in their official report from phase I of the audit," said Kenn White, part of the team involved in the TrueCrypt audit.

NSA's Novel Claim: Our Systems Are Too Complex To Obey the Law

timothy posted about 3 months ago | from the complex-simple-same-thing dept.

Electronic Frontier Foundation 245

Reader Bruce66423 (1678196) points out skeptical-sounding coverage at the Washington Post of the NSA's claim that it can't hold onto information it collects about users' online activity long enough for it to be useful as evidence in lawsuits about the very practice of that collection. From the article: 'The agency is facing a slew of lawsuits over its surveillance programs, many launched after former NSA contractor Edward Snowden leaked information on the agency's efforts last year. One suit that pre-dates the Snowden leaks, Jewel v. NSA, challenges the constitutionality of programs that the suit allege collect information about Americans' telephone and Internet activities. In a hearing Friday, U.S. District for the Northern District of California Judge Jeffrey S. White reversed an emergency order he had issued earlier the same week barring the government from destroying data that the Electronic Frontier Foundation had asked be preserved for that case. The data is collected under Section 702 of the Amendments Act to the Foreign Intelligence Surveillance Act. But the NSA argued that holding onto the data would be too burdensome. "A requirement to preserve all data acquired under section 702 presents significant operational problems, only one of which is that the NSA may have to shut down all systems and databases that contain Section 702 information," wrote NSA Deputy Director Richard Ledgett in a court filing submitted to the court. The complexity of the NSA systems meant preservation efforts might not work, he argued, but would have "an immediate, specific, and harmful impact on the national security of the United States.' Adds Bruce66423: "This of course implies that they have no backup system — or at least that the backup are not held for long."

Grand Theft Auto V For Modern Platforms Confirmed

timothy posted about 3 months ago | from the spree-killing-for-everyone dept.

Graphics 133

jones_supa (887896) writes 'Since the release of the extremely successful Grand Theft Auto V on PlayStation 3 and Xbox 360, rumors about PC — and later also an Xbox One and PlayStation 4 — version have been floating around. Now it's official: Grand Theft Auto V will be released on Windows PC and Xbox One, in addition to PlayStation 4, this fall, publisher Rockstar Games announced today with a trailer. A post on Rockstar Newswire tells us that the ports will offer visual and technical improvements such as "increased draw distances, finer texture details, denser traffic and enhanced resolutions." All of the new GTA Online content that has been created and released since launch will be available also on the modern platforms. The PC version will exclusively include a video editor to allow players to put together their own clips of in-game action.'

Britain Gets National .uk Web Address

timothy posted about 3 months ago | from the actually-top-level dept.

The Internet 111

hypnosec (2231454) writes 'Starting today businesses and individuals in the UK will be able to register a new national web address (".uk") and drop their existing ".co.uk" or ".com" suffix in favour of a shorter and snappier domain name. The entire process along with the transition is being overseen by private yet not-for-profit organisation Nominet, which has already started notifying existing customers with a ".co.uk" domain of their chance to adopt a ".uk" domain. Nominet will reserve all ".uk" domain names, which already have a ".co.uk" counterparts, for the next five years offering registrants the chance to adopt the new domain and to keep cyber squatters at bay.'

iOS 8 Strikes an Unexpected Blow Against Location Tracking

Unknown Lamer posted about 3 months ago | from the waiting-for-obvious-patents dept.

IOS 323

schwit1 (797399) writes 'It wasn't touted onstage, but a new iOS 8 feature is set to cause havoc for location trackers, and score a major win for privacy.As spotted by Frederic Jacobs, the changes have to do with the MAC address used to identify devices within networks. When iOS 8 devices look for a connection, they randomize the MAC address, effectively disguising any trace of the real device until it decides to connect to a network.'

Kids With Operators Manual Alert Bank Officials: "We Hacked Your ATM"

samzenpus posted about 3 months ago | from the protect-ya-neck dept.

Security 378

An anonymous reader writes "Two 14-year-olds hacked a Bank of Montreal ATM after finding an operators manual online that showed how to gain administrative control. Matthew Hewlett and Caleb Turon alerted bank employees after testing the instructions on an ATM at a nearby supermarket. At first the employees thought the boys had the PIN numbers of customers. 'I said: "No, no, no. We hacked your ATM. We got into the operator mode,"' Hewlett was quoted as saying. Then, the bank employees asked for proof. 'So we both went back to the ATM and I got into the operator mode again,' Hewlett said. 'Then I started printing off documentations like how much money is currently in the machine, how many withdrawals have happened that day, how much it's made off surcharges. Then I found a way to change the surcharge amount, so I changed the surcharge amount to one cent.'"

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>