Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Netflix Open Sources Internal Threat Monitoring Tools

timothy posted about 2 months ago | from the how-they-watch-you-watching-them dept.

Open Source 20

alphadogg (971356) writes Netflix has released three internal tools it uses to catch hints on the Web that hackers might target its services. "Many security teams need to stay on the lookout for Internet-based discussions, posts and other bits that may be of impact to the organizations they are protecting," wrote Andy Hoernecke and Scott Behrens of Netflix's Cloud Security Team. One of the tools, called Scumblr, can be used to create custom searches of Google sites, Twitter and Facebook for users or keywords.

Chromium 37 Launches With Major Security Fixes, 64-bit Windows Support

Unknown Lamer posted about 2 months ago | from the almost-makes-up-for-<dialog> dept.

Chromium 113

An anonymous reader writes Google has released Chrome/Chromium version 37 for Windows, Mac, and Linux. Among the changes are better-looking fonts on Windows and a revamped password manager. There are 50 security fixes, including several to patch a sandbox escaping vulnerability. The release also brings stable 64-bit Windows support which ...offers many benefits for speed, stability and security. Our measurements have shown that the native 64-bit version of Chrome has improved speed on many of our graphics and media benchmarks. For example, the VP9 codec that’s used in High Definition YouTube videos shows a 15% improvement in decoding performance. Stability measurements from people opted into our Canary, Dev and Beta 64-bit channels confirm that 64-bit rendering engines are almost twice as stable as 32-bit engines when handling typical web content. Finally, on 64-bit, our defense in depth security mitigations such as Partition Alloc are able to far more effectively defend against vulnerabilities that rely on controlling the memory layout of objects. The full changelog.

UK Prisons Ministry Fined For Lack of Encryption At Prisons

Unknown Lamer posted about 2 months ago | from the not-like-prisoners-are-people-anyway dept.

United Kingdom 74

Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed. To make matters worse, one of the unencrypted backup hard drives walked away.

Project Zero Exploits 'Unexploitable' Glibc Bug

Unknown Lamer posted about 2 months ago | from the never-say-never dept.

Security 98

NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed. They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.

VMware Unveils Workplace Suite and NVIDIA Partnership For Chromebooks

samzenpus posted about 2 months ago | from the check-it-out dept.

Chrome 60

Gamoid writes At VMworld today, VMware introduced the Workplace Suite, a platform for securely delivering applications and content across desktops and mobile devices from the cloud. The really cool part, though, is a partnership with Google and NVIDIA to deliver even graphics-intensive Windows applications on a Chromebook. From the article: "The new VMware Workplace Suite takes advantage of three existing VMware products: Tools for application, device, and content management as well as secure cloud file storage that comes from the January acquisition of enterprise mobile management company AirWatch; VMware Horizon for desktop-as-a-service; and brand-new acquisition CloudVolumes for app delivery. "

TechCentral Scams Call Center Scammers

timothy posted about 2 months ago | from the my-personal-record-is-about-20-minutes dept.

Spam 251

An anonymous reader writes "At TechCentral, we get on average called at least once a week — sometimes far more often — by a friendly sounding Indian national warning us that our Windows computer is infected with a virus. The call, which originates from a call centre, follows exactly the same script every time. Usually we shrug them off and put the phone down, but this week we thought we'd humour them to find out how they operate. As this week's call came in, the first thing the "operator" at the other end of the line tried to establish was who was owner of the Windows computer in the household. I'd taken the call. It was time to have some fun. I told the scammer that I was the PC owner. He proceeded to introduce himself as "John Connor." I laughed quietly as I imagined Arnold Schwarzenegger's Terminator hunting down this scamster in the streets of Calcutta. Perhaps he should have come up with a more convincing name."

New Windows Coming In Late September -- But Which One?

timothy posted about 2 months ago | from the double-insulated dept.

Operating Systems 251

snydeq (1272828) writes "Nobody seems to know for sure whether 'Threshold' and 'Windows 9' will be one and the same or separate operating systems, reports Woody Leonhard in his roundup of insights on Microsoft's forthcoming OS plans, expected September 30. 'Many people think the terms are synonymous, but longtime Chinese leaker Faikee continues to maintain that they are two separate products, possibly headed in different directions. Neowin Senior Editor and Columnist Brad Sams appears to have access to the most recent test builds, possibly on a daily basis. He doesn't talk about details, but the items he's let drop on the Neowin forum leave an interesting trail of crumbs.' Either way, the next iteration of Windows will have a lot to say about the kind of Microsoft to expect as Satya Nadella cements his leadership over the flagship OS."

$75K Prosthetic Arm Is Bricked When Paired iPod Is Stolen

timothy posted about 2 months ago | from the what-about-backups dept.

Bug 194

kdataman writes U.S. Army Staff Sgt. Ben Eberle, who lost an arm and both legs in Afghanistan, had his Ipod Touch stolen on Friday. This particular Ipod Touch has an app on it that controls his $75,000 prosthetic arm. The robbery bricked his prosthesis: "That is because Eberle's prosthetic hand is programmed to only work with the stolen iPod, and vice versa. Now that the iPod is gone, he said he has to get a new hand and get it reprogrammed with his prosthesis." I see three possibilities: 1) The article is wrong, possibly to guilt the thief into returning the Ipod. 2) This is an incredibly bad design by Touch Bionics. Why would you make a $70,000 piece of equipment permanently dependent on a specific Ipod Touch? Ipods do fail or go missing. 3) This is an intentionally bad design to generate revenue. Maybe GM should do this with car keys? "Oops, lost the keys to the corvette. Better buy a new one."

Securing the US Electrical Grid

samzenpus posted about 2 months ago | from the locking-things-down dept.

Security 117

An anonymous reader writes The Center for the Study of the Presidency & Congress (CSPC) launched a project to bring together representatives from the Executive Branch, Congress, and the private sector to discuss how to better secure the U.S. electric grid from the threats of cyberattack, physical attack, electromagnetic pulse, and inclement weather. In this interview with Help Net Security, Dan Mahaffee, the Director of Policy at CSPC, discusses critical security challenges.

Securing Networks In the Internet of Things Era

timothy posted about 2 months ago | from the glad-that-someone-finally-invented-things dept.

Communications 106

An anonymous reader writes "Gartner reckons that the number of connected devices will hit 26 billion by 2020, almost 30 times the number of devices connected to the IoT in 2009. This estimate doesn't even include connected PCs, tablets and smartphones. The IoT will represent the biggest change to our relationship with the Internet since its inception. Many IoT devices themselves suffer from security limitations as a result of their minimal computing capabilities. For instance, the majority don't support sufficiently robust mechanisms for authentication, leaving network admins with only weak alternatives or sometimes no alternatives at all. As a result, it can be difficult for organizations to provide secure network access for certain IoT devices."

Researchers Hack Gmail With 92 Percent Success Rate

Soulskill posted about 2 months ago | from the good-enough-for-an-A dept.

Android 87

SternisheFan sends this report from CNET: Researchers at the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a weakness they believe to exist across Android, Windows, and iOS operating systems that could allow malicious apps to obtain personal information. Although it was tested only on an Android phone, the team believes that the method could be used across all three operating systems because all three share a similar feature: all apps can access a mobile device's shared memory. "The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user." To demonstrate the method of attack, first a user must download an app that appears benign, such as a wallpaper, but actually contains malicious code. Once installed, the researchers can use it to access the shared memory statistics of any process (PDF), which doesn't require any special privileges.

NSA Agents Leak Tor Bugs To Developers

Soulskill posted about 2 months ago | from the right-hand-thinks-the-left-hand-is-a-jerk dept.

Encryption 116

An anonymous reader writes: We've known for a while that NSA specifically targets Tor, because they want to disrupt one of the last remaining communication methods they aren't able to tap or demand access to. However, not everybody at the NSA is on board with this strategy. Tor developer Andrew Lewman says even as flaws in Tor are rooted out by the NSA and British counterpart GCHQ, other agents from the two organizations leak those flaws directly to the developers, so they can be fixed quickly. He said, "You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software." Lewman estimates the Tor Project receives these reports on a monthly basis. He also spoke about how a growing amount of users will affect Tor. He suggests a massive company like Google or Facebook will eventually have to take up the task of making Tor scale up to millions of users.

It's Easy To Hack Traffic Lights

Soulskill posted about 2 months ago | from the looking-forward-to-the-mobile-app dept.

Transportation 144

An anonymous reader notes coverage of research from the University of Michigan into the ease with which attackers can hack traffic lights. From the article: As is typical in large urban areas, the traffic lights in the subject city are networked in a tree-type topology, allowing them to pass information to and receive instruction from a central management point. The network is IP-based, with all the nodes (intersections and management computers) on a single subnet. In order to save on installation costs and increase flexibility, the traffic light system uses wireless radios rather than dedicated physical networking links for its communication infrastructure—and that’s the hole the research team exploited. ... The 5.8GHz network has no password and uses no encryption; with a proper radio in hand, joining is trivial. ... The research team quickly discovered that the debug port was open on the live controllers and could directly "read and write arbitrary memory locations, kill tasks, and even reboot the device (PDF)." Debug access to the system also let the researchers look at how the controller communicates to its attached devices—the traffic lights and intersection cameras. They quickly discovered that the control system’s communication was totally non-obfuscated and easy to understand—and easy to subvert.

UPS: We've Been Hacked

samzenpus posted about 2 months ago | from the protect-ya-neck dept.

Security 62

paysonwelch writes The United Parcel Service announced that customers' credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS. The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.

Future Hack: New Cybersecurity Tool Predicts Breaches Before They Happen

Soulskill posted about 2 months ago | from the do-androids-dream-of-electric-wolves? dept.

Security 33

An anonymous reader writes: A new research paper (PDF) outlines security software that scans and scrapes web sites (past and present) to identify patterms leading up to a security breach. It then accurately predicts what websites will be hacked in the future. The tool has an accuracy of up to 66%. Quoting: "The algorithm is designed to automatically detect whether a Web server is likely to become malicious in the future by analyzing a wide array of the site's characteristics: For example, what software does the server run? What keywords are present? How are the Web pages structured? If your website has a whole lot in common with another website that ended up hacked, the classifier will predict a gloomy future. The classifier itself always updates and evolves, the researchers wrote. It can 'quickly adapt to emerging threats.'"

Book Review: Social Engineering In IT Security Tools, Tactics, and Techniques

samzenpus posted about 2 months ago | from the read-all-about-it dept.

Books 45

benrothke writes When I got a copy of Social Engineering in IT Security Tools, Tactics, and Techniques by Sharon Conheady, my first thought was that it likely could not have much that Christopher Hadnagy didn't already detail in the definitive text on the topic: Social Engineering: The Art of Human Hacking. Obviously Hadnagy thought differently, as he wrote the forward to the book; which he found to be a valuable resource. While there is overlap between the two books; Hadnagy's book takes a somewhat more aggressive tool-based approach, while Conheady take a somewhat more passive, purely social approach to the topic. There are many more software tools in Hadnagy; while Conheady doesn't reference software tools until nearly half-way through the book. This book provides an extensive introduction to the topic and details how social engineering has evolved through the centuries. Conheady writes how the overall tactics and goals have stayed the same; while the tools and techniques have been modified to suit the times. Keep reading for the rest of Ben's review.

Couchsurfing Hacked, Sends Airbnb Prank Spam

timothy posted about 2 months ago | from the or-we'll-shoot-this-dog dept.

Spam 44

Slashdot regular (and Couchsurfing.org volunteer) Bennett Haselton writes with a report that an anonymous prankster hacked the Couchsurfing.org website and sent spam to about 1 million members, snarkily advertising their commercial arch-rival Airbnb as "the new Couchsurfing." (Read on below for more on the breach.) As of now, the spam's been caught, but not the spammer.

Smartphone Kill Switch, Consumer Boon Or Way For Government To Brick Your Phone?

samzenpus posted about 2 months ago | from the best-of-both-worlds dept.

Government 299

MojoKid writes We're often told that having a kill switch in our mobile devices — mostly our smartphones — is a good thing. At a basic level, that's hard to disagree with. If every mobile device had a built-in kill switch, theft would go down — who would waste their time over a device that probably won't work for very long? Here's where the problem lays: It's law enforcement that's pushing so hard for these kill switches. We first learned about this last summer, and this past May, California passed a law that requires smartphone vendors to implement the feature. In practice, if a smartphone has been stolen, or has been somehow compromised, its user or manufacturer would be able to remotely kill off its usability, something that would be reversed once the phone gets back into its rightful owner's hands. However, such functionality should be limited to the device's owner, and no one else. If the owner can disable a phone with nothing but access to a computer or another mobile device, so can Google, Samsung, Microsoft, Nokia or Apple. If the designers of a phone's operating system can brick a phone, guess who else can do the same? Everybody from the NSA to your friendly neighborhood police force, that's who. At most, all they'll need is a convincing argument that they're acting in the interest of "public safety."

Tor Browser Security Under Scrutiny

Soulskill posted about 2 months ago | from the shouldn't-we-be-funding-this-better dept.

Encryption 80

msm1267 writes: The keepers of Tor commissioned a study testing the defenses and viability of their Firefox-based browser as a privacy tool. The results (PDF) were a bit eye-opening since the report's recommendations don't favor Firefox as a baseline for Tor, rather Google Chrome. But Tor's handlers concede that budget constraints and Chrome's limitations on proxy support make a switch or a fork impossible.

Researchers Find Security Flaws In Backscatter X-ray Scanners

Soulskill posted about 2 months ago | from the raise-your-hand-if-you're-surprised dept.

Security 146

An anonymous reader writes: Researchers from UC San Diego, University of Michigan, and Johns Hopkins say they've found security vulnerabilities in full-body backscatter X-ray machines deployed to U.S. airports between 2009 and 2013. In lab tests, the researchers were able to conceal firearms and plastic explosive simulants from the Rapiscan Secure 1000 scanner, plus modify the scanner software so it presents an "all-clear" image to the operator even when contraband was detected. "Frankly, we were shocked by what we found," said lead researcher J. Alex Halderman. "A clever attacker can smuggle contraband past the machines using surprisingly low-tech techniques."

51% of Computer Users Share Passwords

Unknown Lamer posted about 2 months ago | from the rm-rf-/-of-shame dept.

Security 117

An anonymous reader writes Consumers are inadvertently leaving back doors open to attackers as they share login details and sign up for automatic log on to mobile apps and services, according to new research by Intercede. While 52% of respondents stated that security was a top priority when choosing a mobile device, 51% are putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues. The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.

Your Phone Can Be Snooped On Using Its Gyroscope

Unknown Lamer posted about 2 months ago | from the phone-can-be-snooped-on-by-everything dept.

Cellphones 96

stephendavion (2872091) writes Researchers will demonstrate the process used to spy on smartphones using gyroscopes at Usenix Security event on August 22, 2014. Researchers from Stanford and a defense research group at Rafael will demonstrate a way to spy on smartphones using gyroscopes at Usenix Security event on August 22, 2014. According to the "Gyrophone: Recognizing Speech From Gyroscope Signals" study, the gyroscopes integrated into smartphones were sensitive enough to enable some sound waves to be picked up, transforming them into crude microphones.

Heartbleed To Blame For Community Health Systems Breach

Soulskill posted about 2 months ago | from the bet-you-wish-you'd-patched dept.

Security 89

An anonymous reader writes: The Heartbleed vulnerability is the cause of the data breach at Community Health Systems, which resulted in 4.5 million records (containing patient data) being compromised. According to a blog post from TrustedSec, the attackers targeted a vulnerable Juniper router and obtained credentials, which allowed them access to the network's VPN.

C++14 Is Set In Stone

timothy posted about 2 months ago | from the but-it's-a-soft-stone dept.

Programming 193

jones_supa (887896) writes "Apart from minor editorial tweaks, the ISO C++14 standard can be considered completed. Implementations are already shipping by major suppliers. C++14 is mostly an incremental update over C++11 with some new features like function return type deduction, variable templates, binary literals, generic lambdas, and so on. The official C++14 specification release will arrive later in the year, but for now Wikipedia serves as a good overview of the feature set."

Nuclear Regulator Hacked 3 Times In 3 Years

timothy posted about 2 months ago | from the once-a-year-to-keep-in-practice dept.

Government 66

mdsolar (1045926) writes with this disconcerting story from CNet about security breaches at the U.S. Nuclear Regulatory Commission, revealed in a new report to have been compromised three times in the last three years: The body that governs America's nuclear power providers said in an internal investigation that two of the hacks are suspected to have come from unnamed foreign countries, the news site Nextgov reported based on a Freedom of Information Act request. The source of the third hack could not be identified because the logs of the incident had been destroyed, the report said. Hackers, often sponsored by foreign governments, have targeted the US more frequently in recent years. A report (PDF) on attacks against government computers noted that there was a 35 percent increase between 2010 and 2013.

Intruders used common hacking techniques to get at the NRC's computers. One attack linked to a foreign country or individual involved phishing emails that coerced NRC employees into submitting their login credentials. The second one linked to a foreign government or individual used spearphishing, or emails targeted at specific NRC employees, to convince them to click a link that led to a malware site hosted on Microsoft's cloud storage site SkyDrive, now called OneDrive. The third attack involved breaking into the personal account of a NRC employee. After sending a malicious PDF attachment to 16 other NRC employees, one person was infected with malware.

AMD Launches Radeon R7 Series Solid State Drives With OCZ

timothy posted about 2 months ago | from the brand-awareness dept.

Data Storage 64

MojoKid (1002251) writes AMD is launching a new family of products today, but unless you follow the rumor mill closely, it's probably not something you'd expect. It's not a new CPU, APU, or GPU. Today, AMD is launching its first line of solid state drives (SSDs), targeted squarely at AMD enthusiasts. AMD is calling the new family of drives, the Radeon R7 Series SSD, similar to its popular mid-range line of graphics cards. The new Radeon R7 Series SSDs feature OCZ and Toshiba technology, but with a proprietary firmware geared towards write performance and high endurance. Open up one of AMD's new SSDs and you'll see OCZ's Indilinx Barefoot 3 M00 controller on board—the same controller used in the OCZ Vector 150, though it is clocked higher in these drives. That controller is paired to A19nm Toshiba MLC (Multi-Level Cell) NAND flash memory and a DDR3-1333MHz DRAM cache. The 120GB and 240GB drives sport 512MB of cache memory, while the 480GB model will be outfitted with 1GB. Interestingly enough, AMD Radeon R7 Series SSDs are some of the all-around, highest-performing SATA SSDs tested to date. IOPS performance is among the best seen in a consumer-class SSD, write throughput and access times are highly-competitive across the board, and the drive offered consistent performance regardless of the data type being transferred. Read performance is also strong, though not quite as stand-out as write performance.

Research Unveils Improved Method To Let Computers Know You Are Human

Unknown Lamer posted about 2 months ago | from the until-computers-improve dept.

Security 91

An anonymous reader writes CAPTCHA services that require users to recognize and type in static distorted characters may be a method of the past, according to studies published by researchers at the University of Alabama at Birmingham. Researchers focused on a broad form of gamelike CAPTCHAs, called dynamic cognitive game, or DCG, CAPTCHAs, which challenge the user to perform a gamelike cognitive task interacting with a series of dynamic images. For example, in a "ship parking" DCG challenge, the user is required to identify the boat from a set of moving objects and drag-and-drop it to the available "dock" location. The puzzle is easy for the human user to solve, but may be difficult for a computer program to figure out. The game-like nature may make the process more engaging for the user compared to conventional text-based CAPTCHAs. There are a couple research papers available: "A Three-Way Investigation of a Game-CAPTCHA: Automated Attacks, Relay Attacks and Usability" and "Dynamic Cognitive Game CAPTCHA Usability and Detection of Streaming-Based Farming."

Hackers Steal Data Of 4.5 Million US Hospital Patients

Unknown Lamer posted about 2 months ago | from the security-through-whoops dept.

Security 111

itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.

Linux Kernel Git Repositories Add 2-Factor Authentication

samzenpus posted about 2 months ago | from the locking-things-down dept.

Security 49

LibbyMC writes For a few years now Linux kernel developers have followed a fairly strict authentication policy for those who commit directly to the git repositories housing the Linux kernel. Each is issued their own ssh private key, which then becomes the sole way for them to push code changes to the git repositories hosted at kernel.org. While using ssh keys is much more secure than just passwords, there are still a number of ways for ssh private keys to fall into malicious hands. So they've further tightened access requirements with two-factor authentication using yubikeys.

Daimler's Solution For Annoying Out-of-office Email: Delete It

samzenpus posted about 2 months ago | from the keep-your-away-messages-to-yourself dept.

Businesses 232

AmiMoJo writes Sure, you can set an out-of-office auto-reply to let others know they shouldn't email you, but that doesn't usually stop the messages; you may still have to handle those urgent-but-not-really requests while you're on vacation. That's not a problem if you work at Daimler, though. The German automaker recently installed software that not only auto-replies to email sent while staff is away, but deletes it outright.

Windows 8.1 Update Crippling PCs With BSOD, Microsoft Suggests You Roll Back

samzenpus posted about 2 months ago | from the back-to-the-old dept.

Bug 304

MojoKid writes Right on schedule, Microsoft rolled-out an onslaught of patches for its "Patch Tuesday" last week, and despite the fact that it wasn't the true "Update 2" for Windows 8.1 many of us were hoping for, updates are generally worth snatching up. Since the patch rollout, it's been discovered that four individual updates are causing random BSoD issues for its users, with KB2982791, a kernel-mode related driver, being the biggest culprit. Because of the bug's severity, Microsoft is recommending that anyone who updated go and uninstall a couple of the specific updates, or rollback using Windows Restore. You can uninstall these updates in much the same way you uninstall any app; the difference is that once you're in the "Programs and Features" section, you'll need to click on "View installed updates" on the left. While it's mostly recommended that you uninstall 2982791, you may wish to uninstall the others as well, just in case.

New Cridex Malware Copies Tactics From GameOver Zeus

samzenpus posted about 2 months ago | from the imitation-is-the-sincerest-form-of-flattery dept.

Security 18

Trailrunner7 writes The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Researchers at IBM's X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ's penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

"There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we've witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators," Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware.

Companies That Don't Understand Engineers Don't Respect Engineers

Soulskill posted about 2 months ago | from the if-you-aren't-part-of-the-solution,-you're-part-of-the-preciptate dept.

Businesses 371

An anonymous reader writes Following up on a recent experiment into the status of software engineers versus managers, Jon Evans writes that the easiest way to find out which companies don't respect their engineers is to learn which companies simply don't understand them. "Engineers are treated as less-than-equal because we are often viewed as idiot savants. We may speak the magic language of machines, the thinking goes, but we aren't business people, so we aren't qualified to make the most important decisions. ... Whereas in fact any engineer worth her salt will tell you that she makes business decisions daily–albeit on the micro not macro level–because she has to in order to get the job done. Exactly how long should this database field be? And of what datatype? How and where should it be validated? How do we handle all of the edge cases? These are in fact business decisions, and we make them, because we're at the proverbial coal face, and it would take forever to run every single one of them by the product people and sometimes they wouldn't even understand the technical factors involved. ... It might have made some sense to treat them as separate-but-slightly-inferior when technology was not at the heart of almost every business, but not any more."

Ask Slashdot: How Dead Is Antivirus, Exactly?

Soulskill posted about 2 months ago | from the deader-than-an-arbitrarily-dead-thing dept.

Security 331

Safensoft writes: Symantec recently made a loud statement that antivirus is dead and that they don't really consider it to be a source of profit. Some companies said the same afterwards; some other suggested that Symantec just wants a bit of free media attention. The press is full of data on antivirus efficiency being quite low. A notable example would be the Zeus banking Trojan, and how only 40% of its versions can be stopped by antivirus software. The arms race between malware authors and security companies is unlikely to stop.

On the other hand, experts' opinions of antivirus software have been low for a while, so it's hardly surprising. It's not a panacea. The only question that remains is: how exactly should antivirus operate in modern security solutions? Should it be one of the key parts of a protection solution, or it should be reduced to only stopping the easiest and most well-known threats?

Threats aren't the only issue — there are also performance concerns. Processors get better, and interaction with hard drives becomes faster, but at the same time antivirus solutions require more and more of that power. Real-time file scanning, constant updates and regular checks on the whole system only mean one thing – as long as antivirus is thorough, productivity while using a computer goes down severely. This situation is not going to change, ever, so we have to deal with it. But how, exactly? Is a massive migration of everything, from workstations to automatic control systems in industry, even possible? Is using whitelisting protection on Windows-based machines is the answer? Or we should all just sit and hope for Microsoft to give us a new Windows with good integrated protection? Are there any other ways to deal with it?

Google Brings Chrome OS User Management To Chrome

timothy posted about 2 months ago | from the whaddya-mean-you-can't-do-that-in-a-web-browser? dept.

Chrome 68

An anonymous reader writes "Google is toying with a complete revamp of the user account system in its browser. Google is essentially pulling the user management system from Chrome OS back into Chrome. The company's thinking is likely two-layered. First, it wants users to stay in the browser for as long as possible, and thus it wants the switching process to be part of Chrome as opposed to Windows, Mac, or Linux. Second, if it can teach users to have accounts in Chrome (as well as use incognito and guest modes), the learning curve will have been flattened for when they encounter Chrome OS."

Supervalu Becomes Another Hacking Victim

Soulskill posted about 2 months ago | from the another-day-another-breach dept.

Security 27

plover sends this news about another possible exposure of customer data: Supervalu is the latest retailer to experience a data breach, announcing today that cybercriminals had accessed payment card transactions at some of its stores. The Minneapolis-based company said it had "experienced a criminal intrusion" into the portion of its computer network that processes payment card transactions for some of its stores. There was no confirmation that any cardholder data was in fact stolen and no evidence the data was misused, according to the company. The event occurred between June 22 and July 17, 2014 at 180 Supervalu stores and stand-alone liquor stores. Affected banners include Cub Foods, Farm Fresh, Hornbacher's, Shop 'n Save and Shoppers Food & Pharmacy.

Watch a Cat Video, Get Hacked: the Death of Clear-Text

Soulskill posted about 2 months ago | from the internet-doomed dept.

Security 166

New submitter onproton writes: Citizen Lab released new research today on a targeted exploitation technique used by state actors involving "network injection appliances" installed at ISPs. These devices can target and intercept unencrypted YouTube traffic and replace it with malicious code that gives the operator control over the system or installs a surveillance backdoor. One of the researchers writes, "many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites...many of these commonly held beliefs are not necessarily true." This technique is largely designed for targeted attacks, so it's likely most of us will be safe for now — but just one more reminder to use https.

The Billion-Dollar Website

Soulskill posted about 2 months ago | from the get-what-you-paid-for-minus-a-billion-dollars dept.

Government 194

stoborrobots writes: The Government Accountability Office has investigated the cost blowouts associated with how the Centers for Medicare & Medicaid Services (CMS) handled the Healthcare.gov project. It has released a 60-page report entitled Healthcare.gov: Ineffective Planning and Oversight Practices Underscore the Need for Improved Contract Management, with a 5 page summary. The key takeaway messages are:

  • CMS undertook the development of Healthcare.gov and its related systems without effective planning or oversight practices...
  • [The task] was a complex effort with compressed time frames. To be expedient, CMS issued task orders ... when key technical requirements were unknown...
  • CMS identified major performance issues ... but took only limited steps to hold the contractor accountable.
  • CMS awarded a new contract to another firm [and the new contract's cost has doubled] due to changes such as new requirements and other enhancements...

US Defense Contractors Still Waiting For Breach Notification Rules

samzenpus posted about 2 months ago | from the a-little-while-longer dept.

United States 19

An anonymous reader writes US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD. This particular requirement has been mandated by the US Congress last year, in an attempt to get clear view of the type and frequency of attacks contractors face. The US Congress will require "cleared defense contractors" — i.e. those who have been granted clearance by the DoD to access, receive, or store classified information — to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.

Can Our Computers Continue To Get Smaller and More Powerful?

timothy posted about 2 months ago | from the where-is-the-orchard-of-low-hanging-fruit? dept.

Upgrades 151

aarondubrow (1866212) writes In a [note, paywalled] review article in this week's issue of the journal Nature (described in a National Science Foundation press release), Igor Markov of the University of Michigan/Google reviews limiting factors in the development of computing systems to help determine what is achievable, in principle and in practice, using today's and emerging technologies. "Understanding these important limits," says Markov, "will help us to bet on the right new techniques and technologies." Ars Technica does a great job of expanding on the various limitations that Markov describes, and the ways in which engineering can push back against them.

Google Expands Safe Browsing To Block Unwanted Downloads

timothy posted about 2 months ago | from the now-you-can-turn-off-adblock dept.

Google 106

An anonymous reader writes "Google today announced it is expanding its Safe Browsing service to protect users against malware that makes unexpected changes to your computer. Google says it will show a warning in Chrome whenever an attempt is made to trick you into downloading and installing such software. In the case of malware, PUA stands for Potentially Unwanted Application, which is also sometimes called Potentially Unwanted Program or PUP. In short, the broad terms encompass any downloads that the user does not want, typically because they display popups, show ads, install toolbars in the default browser, change the homepage or the search engine, run several processes in the background that slow down the PC, and so on."

Microsoft Black Tuesday Patches Bring Blue Screens of Death

timothy posted about 2 months ago | from the but-wait-for-the-patch dept.

Bug 179

snydeq (1272828) writes "Two of Microsoft's kernel-mode driver updates — which often cause problems — are triggering a BSOD error message on some Windows systems, InfoWorld reports. 'Details at this point are sparse, but it looks like three different patches from this week's Black Tuesday crop are causing Blue Screens with a Stop 0x50 error on some systems. If you're hitting a BSOD, you can help diagnose the problem (and perhaps prod Microsoft to find a solution) by adding your voice to the Microsoft Answers Forum thread on the subject.'"

The Biggest iPhone Security Risk Could Be Connecting One To a Computer

timothy posted about 2 months ago | from the seems-an-obvious-hole dept.

IOS 72

angry tapir (1463043) writes Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect. Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled. The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

Ryan Lackey, Marc Rogers Reveal Inexpensive Tor Router Project At Def Con

timothy posted about 2 months ago | from the widespread-and-easy-are-tightly-linked dept.

Communications 38

An anonymous reader writes Ryan Lackey of CloudFlare and Marc Rogers of Lookout revealed a new OPSEC device at Def Con called PORTAL (Personal Onion Router to Assure Liberty). It "provides always-on Tor routing, as well as 'pluggable' transport for Tor that can hide the service's traffic signature from some deep packet inspection systems." In essence, PORTAL is a travel router that the user simply plugs into their existing device for more than basic Tor protection (counterpoint to PogoPlug Safeplug and Onion Pi). On the down side, you have to download PORTAL from Github and flash it "onto a TP-Link compatible packet router." The guys behind the device acknowledge that not many people may want to (or even know how to) do that, so they're asking everyone to standby because a solution is pending. The project's GitHub page has a README file that lists compatible models, with some caveats: "It is highly recommended to use a modified router. The modified MR11U and WR703N provide a better experience than the stock routers due to the additional RAM. The severe space constraints of the stock router make them very challenging to work with. Due to the lack of usable space, it is necessary to use an external disk to store the Tor packages. The stock router has only a single USB port, and the best option is to use a microSD in a 3G modem." (Note: Lackey is no stranger to helping people secure internet privacy.)

DEFCON's Latest Challenge: Hacking Altruism

Soulskill posted about 2 months ago | from the teach-a-man-to-phish dept.

Security 47

jfruh writes: A casual observer at the latest DEFCON conference in Las Vegas might not have noticed much change from last year — still tons of leather, piercing, and body art, still groups of men gathered in darkened ballrooms furiously typing commands. But this year there's a new focus: hacking not just for the lulz, but focusing specifically on highlighting computer security problems that have the potential to do real-world physical harm to human beings.

Password Gropers Hit Peak Stupid, Take the Spamtrap Bait

Unknown Lamer posted about 2 months ago | from the bad-strategy dept.

Security 100

badger.foo (447981) writes Peter Hansteen reports that a new distributed and slow-moving password guessing effort is underway, much like the earlier reports, but this time with a twist: The users they are trying to access do not exist. Instead, they're taken from the bsdly.net spamtrap address list, where all listed email addresses are guaranteed to be invalid in their listed domains. There is a tiny chance that this is an elaborate prank or joke, but it's more likely that via excessive automation, the password gropers have finally hit Peak Stupid.

Samsung Announces Galaxy Alpha Featuring Metal Frame and Rounded Corners

Unknown Lamer posted about 2 months ago | from the strange-sense-of-deja-vu dept.

Cellphones 220

mrspoonsi (2955715) writes with word that Samsung is hopping on the metal case and rounded corners design bandwagon. From the article: Samsung says a metal frame and curved corners give the Galaxy Alpha a "sophisticated" look. The South Korean company describes the Galaxy Alpha as representing a "new design approach". The firm has previously been criticised for the plastic feel of its handsets at a time when other firms have opted to use materials marketed as having a "premium" feel. Samsung Electronics saw a 20% year-on-year drop in its last quarter's profit. The phone features 2G of RAM, a 4.7" AMOLED display, and either an 8-core Exynos 5 or 4-core Snapdragon 801.

A Look At Advanced Targeted Attacks Through the Lens of a Human-Rights NGO

Unknown Lamer posted about 2 months ago | from the shotgun-network-intrusion dept.

Security 25

An anonymous reader writes New research was released on cyber-attacks via human-rights NGO World Uyghur Congress over a period of four years. Academic analysis was conducted through the lens of a human-rights NGO representing a minority living in China and in exile when most targeted attack reports are against large organizations with apparent or actual financial or IP theft unlike WUC, and reported by commercial entities rather than academics. The attacks were a combination of sophisticated social engineering via email written primarily in the Uyghur language, in some cases through compromised WUC email accounts, and with advanced malware embedded in attached documents. Suspicious emails were sent to more than 700 different email addresses, including WUC leaders as well as journalists, politicians, academics and employees of other NGOs (including Amnesty International and Save Tibet — International Campaign for Tibet). The study will be presented at USENIX on August 21, and the full paper is already available.

The Quiet Before the Next IT Revolution

Soulskill posted about 2 months ago | from the before-the-AIs-violently-revolt dept.

IT 145

snydeq writes: Now that the technologies behind our servers and networks have stabilized, IT can look forward to a different kind of constant change, writes Paul Venezia. "In IT, we are actually seeing a bit of stasis. I don't mean that the IT world isn't moving at the speed of light — it is — but the technologies we use in our corporate data centers have progressed to the point where we can leave them be for the foreseeable future without worry that they will cause blocking problems in other areas of the infrastructure. What all this means for IT is not that we can finally sit back and take a break after decades of turbulence, but that we can now focus less on the foundational elements of IT and more on the refinements. ... In essence, we have finally built the transcontinental railroad, and now we can use it to completely transform our Wild West."

Slashdot Login

Need an Account?

Forgot your password?