What's the story with these ads on Slashdot? Check out our new blog post to find out. ×
Security

Government Still Hasn't Notified Individuals Whose Personal Data Was Hacked 71

schwit1 writes: Months after the federal government admitted publicly that the personal data of more than 20 million government employees had been hacked they still have not sent notifications to those millions. The agency whose data was hacked, the Office of Personnel Management (OPM), said the Defense Department will begin "later this month" to notify employees and contractors across the government that their personal information was accessed by hackers. OPM said notifications would continue over several weeks and "will be sent directly to impacted individuals." OPM also announced that it hired a contractor to help protect the identities and credit ratings of employees whose data was hacked. In a statement, OPM said it had awarded a contract initially worth more than $133 million to a company called Identity Theft Guard Solutions LLC, doing business as ID experts, for identity theft protections for the 21.5 million victims of the security data breach. The contractor will provide credit and identity monitoring services for three years, as well as identity theft insurance, to affected individuals and dependent children aged under 18, the agency said.
Security

Despite Reports of Hacking, Baby Monitors Remain Woefully Insecure 103

itwbennett writes: Researchers from security firm Rapid7 have found serious vulnerabilities in nine video baby monitors from various manufacturers. Among them: Hidden and hard-coded credentials providing local and remote access over services like SSH or Telnet; unencrypted video streams sent to the user's mobile phone; unencrypted Web and mobile application functions and unprotected API keys and credentials; and other vulnerabilities that could allow attackers to abuse the devices, according to a white paper released Tuesday. Rapid7 reported the issues it found to the affected manufacturers and to US-CERT back in July, but many vulnerabilities remain unpatched.
Security

Check Point Introduces New CPU-Level Threat Prevention 126

An anonymous reader writes: After buying Israeli startup company Hyperwise earlier this year, Check Point Software Technologies (Nasdaq: CHKP) now unveils its newest solution for defeating malware. Their new offering called SandBlast includes CPU-Level Threat Emulation that was developed in Hyperwise which is able to defeat exploits faster and more accurately than any other solution by leveraging CPU deubgging instruction set in Intel Haswell, unlike known anti-exploitation solutions like kBouncer or ROPecker which use older instruction sets and are therefore bypassable. SandBlast also features Threat Extraction — the ability to extract susceptible parts from incoming documents.
Security

"Extremely Critical" OS X Keychain Vulnerability Steals Passwords Via SMS 115

Mark Wilson writes: Two security researchers have discovered a serious vulnerability in OS X that could allow an attacker to steal passwords and other credentials in an almost invisible way. Antoine Vincent Jebara and Raja Rahbani — two of the team behind the myki identity management security software — found that a series of terminal commands can be used to extract a range of stored credentials. What is particularly worrying about the vulnerability is that it requires virtually no interaction from the victim; simulated mouse clicks can be used to click on hidden buttons to grant permission to access the keychain. Apple has been informed of the issue, but a fix is yet to be issued. The attack, known as brokenchain, is disturbingly easy to execute. Ars reports that this weakness has been exploited for four years.
Open Source

Netflix Open Sources Sleepy Puppy XSS Hunter 12

msm1267 writes: Netflix has released a tool it calls Sleepy Puppy. The tool injects cross-site scripting payloads into a target app that may not be vulnerable, but could be stored in a database and tracks the payload if it's reflected to a secondary application that makes use of the data in the same field. "We were looking for a way to provide coverage on applications that come from different origins or may not be publicly accessible," said co-developer Scott Behrens, a senior application security engineer at Netflix. "We also wanted to observe where stored data gets reflected back, and how data that may be stored publicly could also be reflected in a large number of internal applications." Sleepy Puppy is available on Netflix's Github repository and is one of a slew of security tools its engineers have released to open source.
Businesses

Why Do So Many Tech Workers Dislike Their Jobs? 447

Nerval's Lobster writes: So what if you work for a tech company that offers free lunch, in-house gym, and dry cleaning? A new survey suggests that a majority of software engineers, developers, and sysadmins are miserable. Granted, the survey in question only involved 5,000 respondents, so it shouldn't be viewed as comprehensive (it was also conducted by a company that deals in employee engagement), but it's nonetheless insightful into the reasons why a lot of tech pros apparently dislike their jobs. Apparently perks don't matter quite so much if your employees have no sense of mission, don't have a clear sense of how they can get promoted, and don't interact with their co-workers very well. While that should be glaringly obvious, a lot of companies are still fixated on the idea that minor perks will apparently translate into huge morale boosts; but free smoothies in the cafeteria only goes so far.
Medicine

Hacking Medical Mannequins 35

An anonymous reader writes: A team of researchers at the University of South Alabama is investigating potential breaches of medical devices used in training, taking the mannequin iStan as its prime target in its scenario-based research. Identifying the network security solution and network protocol as the vulnerable components, the team was able to carry out brute force attacks against the router PIN, and denial of service (DDoS) attacks, using open source tools such as BackTrack.
Security

Shifu Banking Trojan Has an Antivirus Feature To Keep Other Malware At Bay 59

An anonymous reader writes: Shifu is a banking trojan that's currently attacking 14 Japanese banks. Once it has infected a victim's machine, it will install a special module that keeps other banking-related trojans at bay. If this module sees suspicious, malware-looking content (unsigned executables) from unsecure HTTP connections, it tries to stop them. If it fails, it renames them to "infected.exx" and sends them to its C&C server. If the file is designed to autorun, Shifu will spoof an operating system "Out of memory" message.
Encryption

Browser Makers To End RC4 Support In Early 2016 40

msm1267 writes: Google, Microsoft and Mozilla today announced they've settled on an early 2016 timeframe to permanently deprecate the shaky RC4 encryption algorithm in their respective browsers. Mozilla said Firefox's shut-off date will coincide with the release of Firefox 44 on Jan. 26. Google and Microsoft said that Chrome and Internet Explorer 11 (and Microsoft Edge) respectively will also do so in the January-February timeframe. Attacks against RC4 are growing increasingly practical, rendering the algorithm more untrustworthy by the day.
Encryption

Turkey Arrests Journalists For Using Encryption 144

An anonymous reader sends news that three employees of Vice News were arrested in Turkey because one of them used an encryption system on his personal computer. That particular type of encryption has been used by the terrorist organization known as the Islamic State, so the men were charged with "engaging in terrorist activity." The head of a local lawyers association said, "I find it ridiculous that they were taken into custody. I don't believe there is any accuracy to what they are charged for. To me, it seems like an attempt by the government to get international journalists away from the area of conflict." The Turkish government denied these claims: "This is an unpleasant incident, but the judiciary is moving forward with the investigation independently and, contrary to claims, the government has no role in the proceedings."
Firefox

Video Mozilla Project Working on Immersive Displays (Video) 43

Yes, it's 3-D, and works with the Firefox browser. But that's not all. The MozVR virtual reality system is not just for Firefox, and it can incorporate infrared and other sensors to give a more complete picture than can be derived from visible light alone. In theory, the user's (client) computer needs no special hardware beyond a decent GPU and an Oculus Rift headset. Everything else lives on a server.

Is this the future of consumer displays? Even if not, the development is fun to watch, which you can start doing at mozvr.com -- and if you're serious about learning about this project you may want to read our interview transcript in addition to watching the video, because the transcript contains additional information.
Security

Bugs In Belkin Routers Allow DNS Spoofing, Credential Theft 48

Trailrunner7 writes: The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers. The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren't any practical workarounds for them. "DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker's control," the advisory says.
Stats

Windows 10 Grabs 5.21% Market Share, Passing Windows Vista and Windows 8 243

An anonymous reader writes: The effects of a free upgrade to Windows 10 are starting to trickle in. Available for just over a month, Windows 10 has now captured more than 5 percent market share, according to the latest figures from Net Applications. In just four weeks, Windows 10 has already been installed on over 75 million PCs. Microsoft is aiming to have 1 billion devices running Windows 10 "in two to three years," though that includes not just PCs, but smartphones, consoles, and other devices as well.
Spam

Ask Slashdot: Should I Publish My Collection of Email Spamming IP Addresses? 106

An anonymous reader writes: I have, for a while now, been collecting IP addresses from which email spam has been sent to, or attempted to be relayed through, my email server. I was wondering if I should publish them, so that others can adopt whatever steps are necessary to protect their email servers from that vermin. However, I am facing ethical issues here. What if the addresses are simply spoofed, and therefore branding them as spamming addresses might cause harm to innocent parties? What if, after having been co-opted by spammers, they are now used legitimately? I wonder if there's a market for all the thousands of webmail addresses that send Slashdot nothing but spam.
United States

US Weighs Sanctioning Russia As Well As China In Cyber Attacks 78

New submitter lvbees7 writes with news that U.S. officials have warned that the government may impose sanctions against Russia and China following cyber attacks to commercial targets. According to the Reuters story: The officials, who spoke on condition of anonymity, said no final decision had been made on imposing sanctions, which could strain relations with Russia further and, if they came soon, cast a pall over a state visit by Chinese President Xi Jinping in September. The Washington Post first reported the Obama administration was considering sanctioning Chinese targets, possibly within the next few weeks, and said that individuals and firms from other nations could also be targeted. It did not mention Russia.
Security

Six UK Teens Arrested For Being "Customers" of Lizard Squad's DDoS Service 93

An anonymous reader writes: UK officials have arrested six teenagers suspected of utilizing Lizard Squad's website attack tool called "Lizzard Stresser". Lizard Squad claimed responsibility for the infamous Christmas Day Xbox Live and PlayStation Network attacks. The teenagers "are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous," an NCA spokesperson wrote in an official statement on the case. "Organizations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies, and a number of online retailers."
Businesses

Apple Partners With Cisco To Boost Enterprise Business 90

An anonymous reader writes: Apple and Cisco announced a partnership aimed at helping Apple's devices work better for businesses. Cisco will provide services specially optimized for iOS devices across mobile, cloud, and on premises-based collaboration tools such as Cisco Spark, Cisco Telepresence and Cisco WebEx, the companies said in a statement. "What makes this new partnership unique is that our engineering teams are innovating together to build joint solutions that our sales teams and partners will take jointly to our customers," Cisco Chief Executive Chuck Robbins said in a blog post.
Programming

The Most Important Obscure Languages? 427

Nerval's Lobster writes: If you're a programmer, you're knowledgeable about "big" languages such as Java and C++. But what about those little-known languages you only hear about occasionally? Which ones have an impact on the world that belies their obscurity? Erlang (used in high-performance, parallel systems) springs immediately to mind, as does R, which is relied upon my mathematicians and analysts to crunch all sorts of data. But surely there are a handful of others, used only by a subset of people, that nonetheless inform large and important platforms that lots of people rely upon... without realizing what they owe to a language that few have ever heard of.
IOS

Over 225,000 Apple Accounts Compromised Via iOS Malware 213

An anonymous reader writes: Researchers from Palo Alto Networks and WeipTech have unearthed a scheme that resulted in the largest known Apple account theft caused by malware. All in all, some 225,000 valid Apple accounts have been compromised. The theft is executed via variants of the KeyRaider iOS malware, which targets jailbroken iOS devices. Most of the victims are Chinese — the malware is distributed through third-party Cydia repositories in China — but users in other countries have also been affected (European countries, the U.S., Australia, South Korea, and so on). "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device," Palo Alto researcher Claud Xiao explained. "KeyRaider steals Apple push notification service certificates and private keys, steals and shares App Store purchasing information, and disables local and remote unlocking functionalities on iPhones and iPads."
The Internet

CenturyLink Takes $3B In Subsidies For Building Out Rural Broadband 199

New submitter club77er writes with a link to a DSL Reports article outlining some hefty subsidies (about $3 billion, all told) that CenturyLink has signed up to receive, in exchange for expanding its coverage to areas considered underserved: According to the CenturyLink announcement, the telco will take $500 million a year for six years from the Federal Communications Commission (FCC)'s Connect America Fund (CAF). In exchange, it will expand broadband to approximately 1.2 million rural households and businesses in 33 states. While the FCC now defines broadband as 25 Mbps down, these subsidies require that the deployed services be able to provide speeds of at least 10 Mbps down.