Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Critroni Crypto Ransomware Seen Using Tor for Command and Control

samzenpus posted about 3 months ago | from the protect-ya-neck dept.

Security 122

Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."

Australian Website Waits Three Years To Inform Customers of Data Breach

Unknown Lamer posted about 3 months ago | from the better-never-than-late dept.

Privacy 35

AlbanX (2847805) writes Australian daily deals website Catch of the Day waited three years to tell its customers their email addresses, delivery addresses, hashed passwords, and some credit card details had been stolen. Its systems were breached in April 2011 and the company told police, banks and credit cards issuers, but didn't tell the Privacy Commissioner or customers until July 18th.

Tesla Model S Hacking Prize Claimed

Soulskill posted about 3 months ago | from the to-the-victors-go-the-electric-spoils dept.

Transportation 59

savuporo sends word that a $10,000 bounty placed on hacking a Tesla Model S has been claimed by a team from Zhejiang University in China. The bounty itself was not issued by Tesla, but by Qihoo 360, a Chinese security company. "[The researchers] were able to gain remote control of the car's door locks, headlights, wipers, sunroof, and horn, Qihoo 360 said on its social networking Sina Weibo account. The security firm declined to reveal details at this point about how the hack was accomplished, although one report indicated that the hackers cracked the six-digit code for the Model S's mobile app.

Point-of-Sale System Bought On eBay Yields Treasure Trove of Private Data

Soulskill posted about 3 months ago | from the low-hanging-fruit dept.

Security 68

jfruh writes: Point-of-sale systems aren't cheap, so it's not unusual for smaller merchants to buy used terminals second-hand. An HP security researcher bought one such unit on eBay to see what a used POS system will get you, and what he found was disturbing: default passwords, a security flaw, and names, addresses, and social security numbers of employees of the terminal's previous owner.

New Mayhem Malware Targets Linux and UNIX-Like Servers

Soulskill posted about 3 months ago | from the keep-calm-and-patch-on dept.

Security 168

Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."

The Hacking of NASDAQ

Unknown Lamer posted about 3 months ago | from the tales-of-hacking-and-intrigue dept.

Security 76

puddingebola (2036796) writes Businessweek has an account of the 2010 hacking of the NASDAQ exchange. From the article, "Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. 'The bad news of that equation is, I'm not sure you will really know until that final trigger is pulled. And you never want to get to that.'"

Pushdo Trojan Infects 11,000 Systems In 24 Hours

Unknown Lamer posted about 3 months ago | from the bots-everywhere dept.

Botnet 32

An anonymous reader writes Bitdefender has discovered that a new variant of the Trojan component, Pushdo, has emerged. 77 machines have been infected in the UK via the botnet in the past 24 hours, with more than 11,000 infections reported worldwide in the same period. The countries most affected so far by the Pushdo variant are India, Vietnam and Turkey. Since Pushdo has resurfaced, the public and private keys used to protect the communication between the bots and the Command and Control Servers have been changed, but the communication protocol remains the same.

LibreSSL PRNG Vulnerability Patched

Soulskill posted about 3 months ago | from the looking-forward-to-the-next-two-day-panic dept.

Security 151

msm1267 writes: The OpenBSD project late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG). The flaw was disclosed two days ago by the founder of secure backup company Opsmate, Andrew Ayer, who said the vulnerability was a "catastrophic failure of the PRNG." OpenBSD founder Theo de Raadt and developer Bob Beck, however, countered saying that the issue is "overblown" because Ayer's test program is unrealistic. Ayer's test program, when linked to LibreSSL and made two different calls to the PRNG, returned the exact same data both times.

"It is actually only a problem with the author's contrived test program," Beck said. "While it's a real issue, it's actually a fairly minor one, because real applications don't work the way the author describes, both because the PID (process identification number) issue would be very difficult to have become a real issue in real software, and nobody writes real software with OpenSSL the way the author has set this test up in the article."

ChickTech Brings Hundreds of Young Women To Open Source

Soulskill posted about 3 months ago | from the more-engineers-more-cool-stuff dept.

Education 158

ectoman writes: Opensource.com is running an interview with Jennifer Davidson of ChickTech, a non-profit organization whose mission is to create communities of support for women and girls pursuing (or interested in pursuing) careers in tech. "In the United States, many girls are brought up to believe that 'girls can't do math' and that science and other 'geeky' topics are for boys," Davidson said. "We break down that idea." Portland, OR-based ChickTech is quickly expanding throughout the United States—to cities like Corvallis and San Francisco—thanks to the "ChickTech: High School" initiative, which gathers hundreds of young women for two-day workshops featuring open source technologies. "We fill a university engineering department with 100 high school girls—more girls than many engineering departments have ever seen," Davidson said. "The participants can look around the building and see that girls from all backgrounds are just as excited about tech as they are."

Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say

Unknown Lamer posted about 3 months ago | from the brain-full-try-again-later dept.

Security 280

An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum." Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.

Breaches Exposed 22.8 Million Personal Records of New Yorkers

Unknown Lamer posted about 4 months ago | from the what-is-security dept.

Security 41

An anonymous reader writes Attorney General Eric T. Schneiderman issued a new report examining the growing number, complexity, and costs of data breaches in the New York State. The report reveals that the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers have been exposed in nearly 5,000 data breaches, which have cost the public and private sectors in New York upward of $1.37 billion in 2013. The demand on secondary markets for stolen information remains robust. Freshly acquired stolen credit card numbers can fetch up to $45 per record, while other types of personal information, such as Social Security numbers and online account information, can command even higher prices.

HP Claims Their Moonshot System is a 'New Style of IT' (Video)

Roblimo posted about 4 months ago | from the my-server-uses-less-power-than-yours dept.

HP 68

Didn't we already have something kind of like this called a Blade server? But this is better! An HP Web page devoted to Moonshot says, 'Compared to traditional servers, up to: 89% less energy; 80% less space; 77% less cost; and 97% less complex.' If this is all true, the world of servers is now undergoing a radical change. || A quote from another Moonshot page: "The HP Moonshot 1500 Chassis has 45 hot-pluggable servers installed and fits into 4.3U. The density comes in part from the low-energy, efficient processors. The innovative chassis design supports 45 servers, 2 network switches, and supporting components.' These are software-defined servers. HP claims they are the first ones ever, a claim that may depend on how you define "software-defined." And what software defines them? In this case, at Texas Linux Fest, it seems to be Ubuntu Linux. (Alternate Video Link)

Google's Project Zero Aims To Find Exploits Before Attackers Do

Unknown Lamer posted about 4 months ago | from the evil-hackers-respond-with-negative-one-day-exploits dept.

Security 62

DavidGilbert99 (2607235) writes "Google has announced Project Zero, a group of security experts who will hunt down security flaws in all software which touches the Internet. Among the group is a 24-year-old called George Hotz who shot to fame in 2007 when he was the first to unlock the iPhone before reverse engineering the PlayStation 3." Quoting the Project Zero announcement: You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications. Yet in sophisticated attacks, we see the use of "zero-day" vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. ... We're not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers. All issues will be reported to the usual public vulnerability databases after vendors are given a short period to fix their systems and software.

OpenWRT 14.07 RC1 Supports Native IPv6, Procd Init System

Unknown Lamer posted about 4 months ago | from the bofh-excuse-#3847-replacing-router-os dept.

Networking 71

An anonymous reader writes Release Candidate One of OpenWRT 14.07 "Barrier Breaker" is released. Big for this tiny embedded Linux distribution for routers in 14.07 is native IPv6 support and the procd init system integration. The native IPv6 support is with the RA and DHCPv6+PD client and server support plus other changes. Procd is OpenWRT's new preinit, init, hotplug, and event system. Perhaps not too exciting is support for upgrading on devices with NAND, and file system snapshot/restore so you can experiment without fear of leaving your network broken. There's also experimental support for the musl standard C library.

German NSA Committee May Turn To Typewriters To Stop Leaks

Unknown Lamer posted about 4 months ago | from the how-to-tell-wikileaks-is-winning dept.

Security 244

mpicpp (3454017) writes with news that Germany may be joining Russia in a paranoid switch from computers to typewriters for sensitive documents. From the article: Patrick Sensburg, chairman of the German parliament's National Security Agency investigative committee, now says he's considering expanding the use of manual typewriters to carry out his group's work. ... Sensburg said that the committee is taking its operational security very seriously. "In fact, we already have [a typewriter], and it's even a non-electronic typewriter," he said. If Sensburg's suggestion takes flight, the country would be taking a page out of the Russian playbook. Last year, the agency in charge of securing communications from the Kremlin announced that it wanted to spend 486,000 rubles (about $14,800) to buy 20 electric typewriters as a way to avoid digital leaks.

Hacking Online Polls and Other Ways British Spies Seek To Control the Internet

samzenpus posted about 4 months ago | from the learning-to-troll dept.

United Kingdom 117

Advocatus Diaboli writes The secretive British spy agency GCHQ has developed covert tools to seed the internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, "amplif[y]" sanctioned messages on YouTube, and censor video content judged to be "extremist." The capabilities, detailed in documents provided by NSA whistleblower Edward Snowden, even include an old standby for pre-adolescent prank callers everywhere: A way to connect two unsuspecting phone users together in a call. The tools were created by GCHQ's Joint Threat Research Intelligence Group (JTRIG), and constitute some of the most startling methods of propaganda and internet deception contained within the Snowden archive. Previously disclosed documents have detailed JTRIG's use of "fake victim blog posts," "false flag operations," "honey traps" and psychological manipulation to target online activists, monitor visitors to WikiLeaks, and spy on YouTube and Facebook users.

Critical Vulnerabilities In Web-Based Password Managers Found

samzenpus posted about 4 months ago | from the protect-ya-neck dept.

Security 114

An anonymous reader writes A group of researchers from University of California, Berkeley, have analyzed five popular web-based password managers and have discovered vulnerabilities that could allow attackers to learn a user's credentials for arbitrary websites. The five password managers they analyzed are LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword. "Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn't respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure. 'Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered,' they pointed out. They also announced that they will be working on a tool that automatizes the process of identifying vulnerabilities, as well as on developing a 'principled, secure-by-construction password manager.'"

Apple Refutes Report On iPhone Threat To China's National Security

samzenpus posted about 4 months ago | from the it-was-other-kids dept.

China 134

An anonymous reader writes "Apple has never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers," the company said Sunday in a bilingual statement on its China website. Users have to make the choice to enable the iPhones to calculate their locations, while "Apple does not track users' locations — Apple has never done so and has no plans to ever do so," the company said. The statement was in response to allegations by China's top state broadcaster that iOS7 software and its "Frequent Location" service posed a security risk. The data can be accessed easily, although labelled as "encrypted," and may lead to the disclosure of "state secrets," CCTV said.

New Raspberry Pi Model B+

samzenpus posted about 4 months ago | from the latest-and-greatest dept.

Upgrades 202

mikejuk writes The Raspberry Pi foundation has just announced the Raspberry Pi B+. The basic specs haven't changed much — same BC2835 and 512MB of RAM and the $35 price tag. There are now four USB ports, which means you don't need a hub to work with a mouse, keyboard and WiFi dongle. The GPIO has been expanded to 40 pins, but don't worry: you can plug your old boards and cables into the lefthand part of the connector, and it's backward compatible. As well as some additional general purpose lines, there are two designated for use with I2C EEPROM. When the Pi boots it will look for custom EEPROMs on these lines and optionally use them to load Linux drivers or setup expansion boards. Expansion boards can now include identity chips that when the board is connected configures the Pi to make use of them — no more manual customization. The change to a micro SD socket is nice, unless you happen to have lots of spare full size SD cards around. It is also claimed that the power requirements have dropped by half, to one watt, which brings the model B into the same power consumption area as the model A. Comp video is now available on the audio jack, and the audio quality has been improved. One big step for Raspberry Pi is that it now has four holes for mounting in standard enclosures.

NSA Says Snowden Emails Exempt From Public Disclosure

samzenpus posted about 4 months ago | from the for-our-eyes-only dept.

United States 231

AHuxley (892839) writes "The Desk reports on a FOIA request covering "... all e-mails sent by Edward Snowden" and the NSA's refusal to release all documents. "The National Security Agency has acknowledged it retains a record of e-mail communications from former contractor turned whistleblower Edward Snowden, but says those records are exempt from public disclosure under the federal Freedom of Information Act. In a letter responding to a June 27 FOIA request from The Desk, the NSA’s chief FOIA officer Pamela Phillips wrote that while the agency has retained records related to Snowden’s employment as a contractor, they are being withheld from public examination because, among other things, releasing the records 'could interfere with law enforcement proceedings, could cause an unwarranted invasion of personal privacy, could reveal the identities of confidential sources or would reveal law enforcement techniques and procedures.' Other records are being withheld because those documents were 'also found to be currently and properly classifiedand remains classified TOP SECRET, SECRET and CONFIDENTIAL.' The letter marks the first time the NSA has publicly acknowledged retaining communication and employment records related to Snowden’s time as a contractor."

Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption

samzenpus posted about 4 months ago | from the getting-it-clean dept.

Android 91

MojoKid writes We've been around the block enough times to know that outside of shredding a storage medium, all data is recoverable. It's just matter of time, money, and effort. However, it was still sobering to find out exactly how much data security firm Avast was able to recover from Android devices it purchased from eBay, which included everything from naked selfies to even a completed loan application. Does this mean we shouldn't ever sell the old handset? Luckily, the answer is no. Avast's self-serving study was to promote its Anti-Theft app available on Google Play. The free app comes with a wipe feature that overwrites all files, thereby making them invisible to casual recovery methods. That's one approach. There's another solution that's incredibly easy and doesn't require downloading and installing anything. Before you sell your Android phone on eBay, Craigslist, or wherever, enable encryption and wait for it to encrypt the on board storage. After that, perform a wipe and reset as normal, which will obliterate the encryption key and ensure the data on your device can't be read. This may not work on certain devices, which will ask you to decrypt data before wiping but most should follow this convention just fine.

Nano-Pixels Hold Potential For Screens Far Denser Than Today's Best

timothy posted about 4 months ago | from the enhance-enhance-enhance dept.

Displays 129

Zothecula (1870348) writes "The Retina displays featured on Apple's iPhone 4 and 5 models pack a pixel density of 326 ppi, with individual pixels measuring 78 micrometers. That might seem plenty good enough given the average human eye is unable to differentiate between the individual pixels, but scientists in the UK have now developed technology that could lead to extremely high-resolution displays that put such pixel densities to shame."

Source Code Leaked For Tinba Banking Trojan

timothy posted about 4 months ago | from the small-can-be-potent dept.

Crime 75

msm1267 (2804139) writes "The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit. Tinba performs many of the same malicious functions as other banker Trojans, injecting itself into running processes on an infected machine, including the browser and explorer.exe. The malware is designed to steal financial information, including banking credentials and credit-card data and also makes each infected computer part of a botnet. Compromised machines communicate with command-and-control servers over encrypted channels. Tinba got its name from an abbreviation of "tiny banker," and researchers say that it's only about 20 KB in size."

FCC Approves Subsidy Plan to Upgrade School and Library Networks

timothy posted about 4 months ago | from the ask-for-a-mile-in-hopes-of-an-inch dept.

Government 70

The Washington Post reports that, "In a 3-2 vote along party lines Friday, the FCC greenlit a plan to spend $2 billion over the next two years on subsidies for internal networks. The move also begins a process to phase out some subsidies under the federal program, known as E-Rate, for services and equipment that are on the decline, such as pagers and dial-up Internet service." That sounds like a lot of money, and it is, but as usual in politics it's the result of a messy process: The original plan called for spending $5 billion on WiFi over five years, in line with a push by the Obama administration to bring next-gen broadband and WiFi to 99 percent of students over the same period. Those funds would have partly come from savings as a result of transitioning away from supporting legacy technologies. The proposal would also have eliminated an existing requirement that E-Rate funds be spent first on broadband services before being applied to WiFi. In past years, the cost of broadband service meant that money was rarely left over for upgrading WiFi connections. But the FCC's proposal was ultimately scaled back late Thursday amid Republican objections that the E-Rate program can't afford the changes. The final proposal's two-year, $2 billion commitment accounts for the money the FCC has already set aside for WiFi upgrades, but it does not commit the FCC to funding WiFi upgrades at that same rate for the following three years.

Chinese Hackers Infiltrate Firms Using Malware-Laden Handheld Scanners

timothy posted about 4 months ago | from the location-location-location dept.

China 93

wiredmikey (1824622) writes China-based threat actors are using sophisticated malware installed on handheld scanners to target shipping and logistics organizations from all over the world. According to security firm TrapX, the attack begins at a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they're handling. The Chinese manufacturer installs the malware on the Windows XP operating systems embedded in the devices.

Experts determined that the threat group targets servers storing corporate financial data, customer data and other sensitive information. A second payload downloaded by the malware then establishes a sophisticated C&C on the company's finance servers, enabling the attackers to exfiltrate the information they're after. The malware used by the Zombie Zero attackers is highly sophisticated and polymorphic, the researchers said. In one attack they observed, 16 of the 48 scanners used by the victim were infected, and the malware managed to penetrate the targeted organization's defenses and gain access to servers on the corporate network. Interestingly, the C&C is located at the Lanxiang Vocational School, an educational institution said to be involved in the Operation Aurora attacks against Google, and which is physically located only one block away from the scanner manufacturer, TrapX said.

First Release of LibreSSL Portable Is Available

Soulskill posted about 4 months ago | from the cryptic-announcements dept.

Encryption 101

ConstantineM writes: It has finally happened. Bob Beck of The OpenBSD Foundation has just announced that the first release of LibreSSL portable is now available, and can be found in the LibreSSL directory of your favourite OpenBSD mirror. libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OS X and FreeBSD. This is intended to be an initial portable release of OpenBSD's libressl to allow the community to start using it and providing feedback, and has been done to address the issue of incorrect portable versions being attempted by third-parties. Support for additional platforms will be added as time and resources permit.

Gameover ZeuS Re-Emerges As Fast-Fluxing Botnet

Soulskill posted about 4 months ago | from the game-not-quite-over-after-all dept.

Botnet 62

New submitter tylke (621801) writes: "Brian Krebs is reporting that the Gameover ZeuS botnet recently taken down by the U.S. Justice Department in June has re-emerged. The new variant of the Trojan is "stripped of the P2P code, and relies instead on an approach known as fast-flux hosting," a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind a network of compromised systems. Krebs says, "[T]his variant also includes a 'domain name generation algorithm' or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters). In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there." (Disclosure: I work for Malcovery Security, the company credited with identifying the new variant.)

Ask Slashdot: Unattended Maintenance Windows?

Soulskill posted about 4 months ago | from the wake-me-if-there's-fire dept.

IT 265

grahamsaa writes: Like many others in IT, I sometimes have to do server maintenance at unfortunate times. 6AM is the norm for us, but in some cases we're expected to do it as early as 2AM, which isn't exactly optimal. I understand that critical services can't be taken down during business hours, and most of our products are used 24 hours a day, but for some things it seems like it would be possible to automate maintenance (and downtime).

I have a maintenance window at about 5AM tomorrow. It's fairly simple — upgrade CentOS, remove a package, install a package, reboot. Downtime shouldn't be more than 5 minutes. While I don't think it would be wise to automate this window, I think with sufficient testing we might be able to automate future maintenance windows so I or someone else can sleep in. Aside from the benefit of getting a bit more sleep, automating this kind of thing means that it can be written, reviewed and tested well in advance. Of course, if something goes horribly wrong having a live body keeping watch is probably helpful. That said, we do have people on call 24/7 and they could probably respond capably in an emergency. Have any of you tried to do something like this? What's your experience been like?

Ode To Sound Blaster: Are Discrete Audio Cards Still Worth the Investment?

timothy posted about 4 months ago | from the won't-fit-in-my-phone dept.

Music 502

MojoKid (1002251) writes "Back in the day (which is a scientific measurement for anyone who used to walk to school during snowstorms, uphill, both ways), integrated audio solutions had trouble earning respect. Many enthusiasts considered a sound card an essential piece to the PC building puzzle. It's been 25 years since the first Sound Blaster card was introduced, a pretty remarkable feat considering the diminished reliance on discrete audio in PCs, in general. These days, the Sound Blaster ZxR is Creative's flagship audio solution for PC power users. It boasts a signal-to-noise (SNR) of 124dB that Creative claims is 89.1 times better than your motherboard's integrated audio solution. It also features a built-in headphone amplifier, beamforming microphone, a multi-core Sound Core3D audio processor, and various proprietary audio technologies. While gaming there is no significant performance impact or benefit when going from onboard audio to the Sound Blaster ZxR. However, the Sound Blaster ZxR produced higher-quality in-game sound effects and it also produces noticeably superior audio in music and movies, provided your speakers can keep up."

Today In Year-based Computer Errors: Draft Notices Sent To Men Born In the 1800s

timothy posted about 4 months ago | from the pa-dmv-never-did-me-any-favors-either dept.

Bug 205

sandbagger (654585) writes with word of a Y2K-style bug showing up in Y2K14: "The glitch originated with the Pennsylvania Department of Motor Vehicles during an automated data transfer of nearly 400,000 records. The records of males born between 1993 and 1997 were mixed with those of men born a century earlier. The federal agency didn't know it because the state uses a two-digit code to indicate birth year." I wonder where else two-digit years are causing problems; I still see lots of paper forms that haven't made the leap yet to four digits.

Hacking a Tesla Model S Could Net $10,000 Prize

timothy posted about 4 months ago | from the usb-port-under-the-gas-cap dept.

Transportation 77

cartechboy (2660665) writes "It seems there's a new hack challenge set every week, but this time, it seems different. A challenge has been thrown down to hack a Tesla Model S with a $10,000 prize. The organizers of a computer security conference have set the challenge and it's open to anyone that registers for the Syscan conference. Taking place in Beijing from July 16-17, the rules for the hack competition haven't been revealed yet but a Model S will be on display for hackers to try their luck on. It's important to note that Tesla itself isn't involved in the competition in any official capacity, nor does it support the competition. If successful, this wouldn't be the first time a Tesla Model S has been hacked. In that instance Tesla was quick to warn people that making changes in the Model S' software would immediately void the car's warranty. Given the car's high-tech nature, it's no shock Tesla's taking security seriously. With $10,000 on the line, it'll be interesting to see if anyone manages to crack the code."

India's National Informatics Centre Forged Google SSL Certificates

timothy posted about 4 months ago | from the who-can-you-trust? dept.

Security 107

NotInHere (3654617) writes As Google writes on its Online Security Blog, the National Informatics Centre of India (NIC) used its intermediate CA certificate, issued by Indian CCA, to issue several unauthorized certificates for Google domains, allowing it to do Man in the middle attacks. Possible impact however is limited, as, according to Google, the root certificates for the CA were only installed on Windows, which Firefox doesn't use — and for the Chrom{e,ium} browser, the CA for important Google domains is pinned to the Google CA. According to its website, the NIC CA has suspended certificate issuance, and according to Google, its root certificates were revoked by Indian CCA.

UK Computing Student Jailed After Failing To Hand Over Crypto Keys

Soulskill posted about 4 months ago | from the guilty-until-proven-guilty dept.

Encryption 353

stephendavion sends news that Christopher Wilson, a 22-year-old computer science student, has been sent to jail for six months for refusing to hand over his computer encryption passwords. Wilson has been accused of "phoning in a fake warning of an impending cyber attack against Northumbria Police that was convincing enough for the force to temporarily suspend its site as a precaution once a small attack started." He's also accused of trolling on Facebook. Wilson only came to the attention of police in October 2012 after he allegedly emailed warnings about an online threat against one of the staff at Newcastle University. ... The threatening emails came from computer servers linked to Wilson. Police obtained a warrant on this basis and raided his home in Washington, where they seized various items of computer equipment. ... Investigators wanted to examine his encrypted computer but the passwords supplied by Wilson turned out to be incorrect. None of the 50 passwords he provided worked. Frustration with his lack of co-operation prompted police to obtained a order from a judge compelling him to turn over the correct passphrase last year. A judge ordered him to turn over these passwords on the grounds of national security but Wilson still failed to comply, earning him six months behind bars.

Tor Project Sued Over a Revenge Porn Business That Used Its Service

Soulskill posted about 4 months ago | from the tor-is-a-series-of-eeeeevil-tubes dept.

The Courts 311

redletterdave writes: The Tor Project has been sued in the state of Texas over a revenge porn website that used its free encrypted communications service. The plaintiff in the case — Shelby Conklin, a criminal justice major at the University of North Texas — alleges a revenge porn site called Pinkmeth "gained unauthorized access to nude photographs" she owned and posted them to the internet. She also said Tor, which The Economist once called "a dark corner of the web," was involved in an active "civil conspiracy" with Pinkmeth because the revenge porn website used the anonymous communications service to prevent others from tracking its location.

DHS Mistakenly Releases 840 Pages of Critical Infrastructure Documents

Unknown Lamer posted about 4 months ago | from the someone-inverted-the-black-lines dept.

United States 50

wiredmikey (1824622) writes The Operation Aurora attack was publicized in 2010 and impacted Google and a number of other high-profile companies. However, DHS responded to the request by releasing more than 800 pages of documents related to the 'Aurora' experiment conducted several years ago at the Idaho National Laboratory, where researchers demonstrated a way to damage a generator via a cyber-attack. Of the documents released by the DHS, none were related to the Operation Aurora cyber attack as requested. Many of the 840 pages are comprised of old weekly reports from the DHS' Control System Security Program (CSSP) from 2007. Other pages that were released included information about possible examples of facilities that could be vulnerable to attack, such as water plants and gas pipelines.

Avast Buys 20 Used Phones, Recovers 40,000 Deleted Photos

Soulskill posted about 4 months ago | from the delete-then-rewrite-then-smash-into-bits dept.

Cellphones 231

An anonymous reader writes: The used smartphone market is thriving, with many people selling their old devices on eBay or craigslist when it's time to upgrade. Unfortunately, it seems most people are really bad at wiping their phone of personal data before passing it on to a stranger. Antivirus company Avast bought 20 used Android phones off eBay, and used some basic data recovery software to reconstruct deleted files. From just those 20 phones, they pulled over 40,000 photographs, including 1,500 family pictures of children and over a thousand more.. personal pictures. They also recovered hundreds of emails and text messages, over a thousand Google searches, a completed loan application, and identity information for four of the previous owners. Only one of the phones had security software installed on it, but that phone turned out to provide the most information of all: "Hackers at Avast were able to identify the previous owner, access his Facebook page, plot his previous whereabouts through GPS coordinates, and find the names and numbers of more than a dozen of his closest contacts. What's more, the company discovered a lot about this guy's penchant for kink and a completed copy of a Sexual Harassment course — hopefully a preventative measure."

'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials

Soulskill posted about 4 months ago | from the clever-exploits dept.

Security 68

New submitter newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today. It has been dubbed the "Rosetta Flash" attack. JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place. Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack. Several of these services fixed the vulnerability with a patch prior to the public release, and Tumblr patched within hours of the release.

US Tech Firms Recruiting High Schoolers (And Younger)

Soulskill posted about 4 months ago | from the there-oughta-be-a-law-enforcing-the-laws-we-already-have dept.

Businesses 253

ShaunC writes: Is there a glut of qualified American tech workers, or isn't there? Some companies like Facebook and Airbnb are now actively courting and recruiting high school students as young as 13 with promises of huge stipends and salaries. As one student put it, "It's kind of insane that you can make more than the U.S. average income in a summer." Another who attended a Facebook-sponsored trip said he'd "forego college for a full-time job" if it were offered. Is Silicon Valley taking advantage of naive young workers?

Tired of Playing Cyber Cop, Microsoft Looks For Partners In Crime Fighting

Soulskill posted about 4 months ago | from the every-batman-needs-a-robin dept.

Microsoft 113

chicksdaddy writes: When it comes to fighting cybercrime, few companies can claim to have done as much as Redmond, Washington-based Microsoft, which spent the last five years as the Internet's Dirty Harry: using its size, legal muscle and wealth to single-handedly take down cyber criminal networks from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP. The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. Microsoft Senior Program Manager Holly Stewart gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors. Speaking to a gathering of cyber security experts and investigators at the 26th annual FIRST Conference in Boston, she said that the company has doubts about the long term effectiveness of its botnet and malware takedowns.

CentOS Linux Version 7 Released On x86_64

Unknown Lamer posted about 4 months ago | from the keeping-costs-down dept.

Operating Systems 125

An anonymous reader writes "Today, CentOS project unveiled CentOS Linux 7 for 64 bit x86 compatible machines. CentOS conforms fully with Red Hat's redistribution policy and aims to have full functional compatibility with the upstream product released in last month. The new version includes systemd, firewalld, GRUB2, LXC, docker, xfs instead of ext4 filesystem by default. The Linux kernel updated to 3.10.0, support for Linux Containers, 3d graphics drivers out of the box, OpenJDK 7, support for 40G Ethernet cards, installations in UEFI secure Boot mode on compatible hardware and more. See the complete list of features here and here. You can grab this release by visiting the official mirror site or via torrents. On a related note there is also a CentOS Linux 7 installation screencast here."

Researchers Develop New Way To Steal Passwords Using Google Glass

samzenpus posted about 4 months ago | from the let's-see-what-you-typed-there dept.

Google 116

mpicpp writes with a story about researchers who have developed a way to steal passwords using video-capturing devices.Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google's face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn't even need to be able to read the screen — meaning glare is not an antidote. The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode. They tested the algorithm on passwords entered on an Apple iPad, Google's Nexus 7 tablet, and an iPhone 5.

Book Review: Data-Driven Security: Analysis, Visualization and Dashboards

samzenpus posted about 4 months ago | from the read-all-about-it dept.

Books 26

benrothke writes There is a not so fine line between data dashboards and other information displays that provide pretty but otherwise useless and unactionable information; and those that provide effective answers to key questions. Data-Driven Security: Analysis, Visualization and Dashboards is all about the later. In this extremely valuable book, authors Jay Jacobs and Bob Rudis show you how to find security patterns in your data logs and extract enough information from it to create effective information security countermeasures. By using data correctly and truly understanding what that data means, the authors show how you can achieve much greater levels of security. Keep reading for the rest of Ben's review.

TSA Prohibits Taking Discharged Electronic Devices Onto Planes

samzenpus posted about 4 months ago | from the keeping-something-safe dept.

Transportation 702

Trachman writes The US Transport Security Administration revealed on Sunday that enhanced security procedures on flights coming to the US now include not allowing uncharged cell phones and other devices onto planes. “During the security examination, officers may also ask that owners power up some devices, including cell phones. Powerless devices will not be permitted on board the aircraft. The traveler may also undergo additional screening,” TSA said in a statement.

New Snowden Leak: of 160000 Intercepted Messages, Only 10% From Official Targets

samzenpus posted about 4 months ago | from the that-old-familiar-story dept.

United States 201

An anonymous reader writes in with the latest news about NSA spying from documents leaked by Edward Snowden. Ordinary Internet users, American and non-American alike, far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from U.S. digital networks, according to a four-month investigation by The Washington Post. Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else. Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or "minimized," more than 65,000 such references to protect Americans' privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S. residents."

Industrial Control System Firms In Dragonfly Attack Identified

Unknown Lamer posted about 4 months ago | from the they're-in-the-grid dept.

Security 24

chicksdaddy (814965) writes Two of the three industrial control system (ICS) software companies that were victims of the so-called "Dragonfly" malware have been identified. ... Dale Peterson of the firm Digitalbond identified the vendors as MB Connect Line, a German maker of industrial routers and remote access appliances and eWon, a Belgian firm that makes virtual private network (VPN) software that is used to access industrial control devices like programmable logic controllers. Peterson has also identified the third vendor, identified by F-Secure as a Swiss company, but told The Security Ledger that he cannot share the name of that firm.

The three firms, which serve customers in industry, including owners of critical infrastructure, were the subject of a warning from the Department of Homeland Security. DHS's ICS CERT said it was alerted to compromises of the vendors' by researchers at the security firms Symantec and F-Secure. DHS said it is analyzing malware associated with the attacks. The malicious software, dubbed "Havex" was being spread by way of so-called "watering hole" attacks that involved compromises of vendors web sites. According to Symantec, the malware targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. Most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

Ask Slashdot: How Often Should You Change Jobs?

Soulskill posted about 4 months ago | from the headhunters-can-keep-their-opinions-to-themselves dept.

IT 282

An anonymous reader writes "We all know somebody who changes jobs like changing clothes. In software development and IT, it's getting increasingly hard to find people who have been at their job for more than a few years. That's partly because of tech companies' bias for a young work force, and partly because talented people can write their own ticket in this industry. Thus, I put the question to you: how often should you be switching jobs? Obviously, if you find the perfect company (full of good people, doing interesting things, paying you well), your best bet is to stay. But that's not the reality for most of the workforce. Should you always be keeping an eye out for new jobs? Is there a length of time you should stick around so you don't look like a serial job-hopper? Does there come a point in life when it's best to settle down and stick with a job long term?"

NASA Approves Production of Most Powerful Rocket Ever

timothy posted about 4 months ago | from the because-rockets dept.

NASA 146

As reported by the Sydney Morning Herald, NASA has given a green light to the production of a new motor, dubbed the Space Launch System, intended to enable deep space exploration. Boeing, prime contractor on the rocket, announced on Wednesday that it had completed a critical design review and finalized a $US2.8-billion contract with NASA. The last time the space agency made such an assessment of a deep-space rocket was the mighty Saturn V, which took astronauts to the moon. ... Space Launch System's design called for the integration of existing hardware, spurring criticism that it's a "Frankenstein rocket," with much of it assembled from already developed technology. For instance, its two rocket boosters are advanced versions of the Space Shuttle boosters, and a cryogenic propulsion stage is based on the motor of a rocket often used by the Air Force. The Space Frontier Foundation, an advocacy group and frequent NASA critic, said Space Launch System was "built from rotting remnants of left over congressional pork. And its budgetary footprints will stamp out all the missions it is supposed to carry, kill our astronaut program and destroy science and technology projects throughout NASA."

Hacking Internet Connected Light Bulbs

Soulskill posted about 4 months ago | from the not-a-bright-idea dept.

Security 63

An anonymous reader writes We've been calling it for years — connect everything in your house to the internet, and people will find a way to attack it. This post provides a technical walkthrough of how internet-connected lighting systems are vulnerable to outside attacks. Quoting: "With the Contiki installed Raven network interface we were in a position to monitor and inject network traffic into the LIFX mesh network. The protocol observed appeared to be, in the most part, unencrypted. This allowed us to easily dissect the protocol, craft messages to control the light bulbs and replay arbitrary packet payloads. ... Monitoring packets captured from the mesh network whilst adding new bulbs, we were able to identify the specific packets in which the WiFi network credentials were shared among the bulbs. The on-boarding process consists of the master bulb broadcasting for new bulbs on the network. A new bulb responds to the master and then requests the WiFi details to be transferred. The master bulb then broadcasts the WiFi details, encrypted, across the mesh network. The new bulb is then added to the list of available bulbs in the LIFX smart phone application."

Damian Conway On Perl 6 and the Philosophy of Programming

Soulskill posted about 4 months ago | from the secretly-being-developed-by-blizzard dept.

Perl 132

M-Saunders writes: Perl 6 has been in development since 2000. So why, 14 years later, hasn't it been released yet? Linux Voice caught up with Damian Conway, one of the architects of Perl 6, to find out what's happening. "Perl 6 has all of the same features [as Perl 5] but with the rough edges knocked off of them", he says. Conway also talks about the UK's Year of Code project, and how to get more people interested in programming.

Can the NSA Really Track You Through Power Lines?

samzenpus posted about 4 months ago | from the follow-that-hum dept.

Privacy 109

mask.of.sanity writes Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids. Divining information from electrified wires is a known technique: Network Frequency Analysis (ENF) is used to prove video and audio streams have not been tampered with, but experts weren't sure if the technology could be used to locate individuals.

Slashdot Login

Need an Account?

Forgot your password?