Forgot your password?
typodupeerror

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

Security

The People Who Are Branding Vulnerabilities 43

Posted by Soulskill
from the it's-marketing-all-the-way-down dept.
antdude points out a story at ZDNet about how the naming of security vulnerabilities and exploits has evolved into branding and awareness campaigns. Heartbleed set the trend early this year, having a distinct name and logo to represent a serious security problem. It seemed to work; the underlying bug got massive exposure, even in the mainstream media. This raises a new set of issues — should the response to the disclosure of a vulnerability be dependent on how catchy its name is? No, but it probably will be. Heartbleed charmed the public, and in a way, it was designed to do so. By comparison Shellshock, POODLE (aka clumsy "Poodlebleed"), Sandworm, the secretively named Rootpipe, Winshock, and other vulns seem like proverbial "red headed stepchildren" — despite the fact that each of these vulns are critical issues, some are worse than Heartbleed, and all of which needed fast responses. The next "big bug" after Heartbleed was Shellshock — real name CVE-2014-6271. Shellshock didn't have a company's pocketbook or marketing team behind it. So, despite the fact that many said Shellshock was worse than Heartbleed (rated high on severity but low on complexity, making it easy for attackers), creating a celebrity out of Shellshock faced an uphill climb.
United Kingdom

Cameron Accuses Internet Companies Of Giving Terrorists Safe Haven 160

Posted by timothy
from the not-quite-on-the-money dept.
An anonymous reader writes with this snippet from The Guardian: "Internet companies are allowing their networks to be used to plot "murder and mayhem", David Cameron has said in response to the official inquiry into the intelligence agencies' actions ahead of the killing of Lee Rigby. He demanded that internet companies live up to their social responsibilities to report potential terror threats and said there was no reason for such firms to be willing to cooperate with state agencies over child abuse but not over combatting terrorism. His comments to the House of Commons came after the parliamentary intelligence and security committee concluded that the brutal murder of Rigby could have been prevented if an internet company had passed on an online exchange in which one of the killers expressed "in the most graphic terms" his intention to carry out an Islamist jihadi attack.
Sony

Sony Pictures Computer Sytems Shut Down After Ransomware Hack 147

Posted by Soulskill
from the try-long-enough-and-you-find-a-soft-target dept.
MojoKid writes: It appears that Sony Pictures has become the victim of a massive ransomware hack, which has resulted in the company basically shutting down its IT infrastructure. According to an unnamed source, every computer in Sony's New York Office, and every Sony Pictures office across the nation, bears an image from the hacker with the headline "Hacked By #GOP" which is then followed by a warning. The hacker, or group, claims to have obtained corporate secrets and has threatened to reveal those secrets if Sony doesn't meet their demands.
The Military

How the Pentagon's Robots Would Automate War 112

Posted by Soulskill
from the peace-reigns-when-the-war-servers-are-down-for-scheduled-maintenance dept.
rossgneumann writes: Pentagon officials are worried that the U.S. military is losing its edge compared to competitors like China, and are willing to explore almost anything to stay on top—including creating robots capable of becoming fighting machines. A 72-page document throws detailed light on the far-reaching implications of the Pentagon's plan to monopolize imminent "transformational advances" in biotechnology, robotics and artificial intelligence, information technology, nanotechnology, and energy.
Security

Regin Malware In EU Attack Linked To US and British Intelligence Agencies 117

Posted by samzenpus
from the guess-who dept.
Advocatus Diaboli writes The Regin malware, whose existence was first reported by the security firm Symantec on Sunday, is among the most sophisticated ever discovered by researchers. Symantec compared Regin to Stuxnet, a state-sponsored malware program developed by the U.S. and Israel to sabotage computers at an Iranian nuclear facility. Sources familiar with internal investigations at Belgacom and the European Union have confirmed to The Intercept that the Regin malware was found on their systems after they were compromised, linking the spy tool to the secret GCHQ and NSA operations.
Chrome

Google Chrome Will Block All NPAPI Plugins By Default In January 106

Posted by samzenpus
from the end-of-the-line dept.
An anonymous reader writes Google today provided an update on its plan to remove Netscape Plugin Application Programming Interface (NPAPI) from Chrome, which the company says will improve the browser's security, speed, and stability, as well as reduce complexity in the code base. In short, the latest timeline is as follows: Block all plugins by default in January 2015, disable support in April 2015, and remove support completely in September 2015. For context, Google first announced in September 2013 that it was planning to drop NPAPI. At the time, Google said anonymous Chrome usage data showed just six NPAPI plugins were used by more than 5 percent of users, and the company was hoping to remove support from Chrome "before the end of 2014, but the exact timing will depend on usage and user feedback."
United States

DHS Set To Destroy "Einstein" Surveillance Records 69

Posted by samzenpus
from the nothing-to-see-here dept.
schwit1 sends word that The Department of Homeland Security plans on disposing of all the records from a 3-year-long surveillance program without letting the public have access to them. The Department of Homeland Security is poised to ditch all records from a controversial network monitoring system called "Einstein" that are at least three years old, but not for security reasons. DHS reasons the files — which include data about traffic to government websites, agency network intrusions and general vulnerabilities — have no research significance. But some security experts say, to the contrary, DHS would be deleting a treasure chest of historical threat data. And privacy experts, who wish the metadata wasn't collected at all, say destroying it could eliminate evidence that the government wide surveillance system does not perform as intended. The National Archives and Records Administration has tentatively approved the disposal plan, pending a public comment period.
Books

Book Review: Bulletproof SSL and TLS 84

Posted by samzenpus
from the read-all-about-it dept.
benrothke writes If SSL is the emperor's new clothes, then Ivan Ristic in Bulletproof SSL and TLS has shown that perhaps the emperor isn't wearing anything at all. There is a perception that if a web site is SSL secured, then it's indeed secure. Read a few pages in this important book, and the SSL = security myth is dispelled. For the first 8 of the 16 chapters, Ristic, one of the greatest practical SSL./TLS experts around, spends 230 pages showing countless weaknesses, vulnerabilities, attacks and other SSL weaknesses. He then spends the next 8 chapters showing how SSL can, if done correctly, be deployed to provide adequate security. Keep reading for the rest of Ben's review.
Security

Nuclear Weapons Create Their Own Security Codes With Radiation 102

Posted by samzenpus
from the missile-protect-thyself dept.
Zothecula writes "Nuclear weapons are a paradox. No one in their right mind wants to use one, but if they're to act as a deterrent, they need to be accessible. The trick is to make sure that access is only available to those with the proper authority. To prevent a real life General Jack D Ripper from starting World War III, Livermore National Laboratory's (LLNL) Defense Technologies Division is developing a system that uses a nuclear weapon's own radiation to protect itself from tampering.
Security

Highly Advanced Backdoor Trojan Cased High-Profile Targets For Years 139

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader points out this story at Ars about a new trojan on the scene. Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research. Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.
Open Source

Critical XSS Flaws Patched In WordPress and Popular Plug-In 40

Posted by timothy
from the switch-to-slashcode dept.
itwbennett writes The WordPress development team on Thursday released critical security updates that address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments. 'In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue,' said Jouko Pynnonen, the security researcher who found the flaw.
Privacy

Top NSA Official Raised Alarm About Metadata Program In 2009 110

Posted by Soulskill
from the should-have-listened dept.
An anonymous reader sends this report from the Associated Press: "Dissenters within the National Security Agency, led by a senior agency executive, warned in 2009 that the program to secretly collect American phone records wasn't providing enough intelligence to justify the backlash it would cause if revealed, current and former intelligence officials say.

The NSA took the concerns seriously, and many senior officials shared them. But after an internal debate that has not been previously reported, NSA leaders, White House officials and key lawmakers opted to continue the collection and storage of American calling records, a domestic surveillance program without parallel in the agency's recent history.
Government

Obama's Immigration Order To Give Tech Industry Some, Leave 'Em Wanting More 185

Posted by Soulskill
from the everybody-gets-something-and-nobody-gets-everything dept.
theodp writes: "The high-tech industry," reports the Washington Post's Nancy Scola, "will have at least two things to be happy about in President Obama's speech outlining executive actions he'll take on immigration. The president plans to grant the tech industry some, but not nearly all, of what it has been after in the immigration debate. The first is aimed at increasing the opportunity for foreign students and recent graduates from U.S. schools to work in high-tech jobs in the United States. And the second is aimed at making it easier for foreign-born entrepreneurs to set up shop in the United States. According to the White House, Obama will direct the Department of Homeland Security to help students in the so-called STEM fields — science, technology, engineering and mathematics — by proposing, per a White House fact sheet released Thursday night, to "expand and extend" the controversial Optional Practical Training program that now allows foreign-born STEM students and recent graduates remain in the United States for up to 29 months. The exact details of that expansion will be worked out by the Department of Homeland Security as it goes through a rulemaking process."
Robotics

Microsoft Rolls Out Robot Security Guards 140

Posted by Soulskill
from the please-register-that-copy-of-windows.-you-have-20-seconds-to-comply dept.
An anonymous reader writes: Microsoft is testing a group of five robot security guards. They contain a sophisticated sensor suite that includes 360-degree HD video, thermal imaging, night vision, LIDAR, and audio recorders. They can also detect various chemicals and radiation signatures, and do some rudimentary behavioral analysis on people they see. (And they look a bit like Daleks.) The robots are unarmed, so we don't have to worry about a revolt just yet, but they can sound an alarm and call for human officers. They weigh about 300 lbs each, can last roughly a day on a battery charge, and know to head to the charging station when they're low on power.
United States

Greenwald Advises Market-Based Solution To Mass Surveillance 156

Posted by samzenpus
from the you-get-what-you-demand dept.
Nicola Hahn writes In his latest Intercept piece Glenn Greenwald considers the recent defeat of the Senate's USA Freedom Act. He remarks that governments "don't walk around trying to figure out how to limit their own power." Instead of appealing to an allegedly irrelevant Congress Greenwald advocates utilizing the power of consumer demand to address the failings of cyber security. Specifically he argues that companies care about their bottom line and that the trend of customers refusing to tolerate insecure products will force companies to protect user privacy, implement encryption, etc. All told Greenwald's argument is very telling: that society can rely on corporate interests for protection. Is it true that representative government is a lost cause and that lawmakers would never knowingly yield authority? There are people who think that advising citizens to devolve into consumers is a dubious proposition.
Bitcoin

Tracking a Bitcoin Thief, Part II: Illustrating the Issue of Trust In Altcoins 46

Posted by timothy
from the sometimes-the-good-guys-win dept.
An anonymous reader writes The team over at the BITCOMSEC (Bitcoin Community Security) project released a second part to their 'Tracking a Bitcoin Thief' series in which they disclose what happened to a once-rising alternate crypto currency project that promised to place guaranteed value of its MidasCoins by backing it with actual Gold. Dealing with the reality of user compromise, the projects founder ups and runs away with all of the communities coins; cashing them out at an exchange for Bitcoins. A sobering tale of trust issues within the alternate crypto currency community. (The first part is interesting, too.)
Privacy

Amnesty International Releases Tool To Combat Government Spyware 94

Posted by timothy
from the doing-the-right-thing dept.
New submitter Gordon_Shure_DOT_com writes Human rights charity Amnesty International has released Detekt, a tool that finds and removes known government spyware programs. Describing the free software as the first of its kind, Amnesty commissioned the tool from prominent German computer security researcher and open source advocate Claudio Guarnieri, aka 'nex'. While acknowledging that the only sure way to prevent government surveillance of huge dragnets of individuals is legislation, Marek Marczynski of Amnesty nevertheless called the tool (downloadable here) a useful countermeasure versus spooks. According to the app's instructions, it operates similarly to popular malware or virus removal suites, though systems must be disconnected from the Internet prior to it scanning.
Botnet

Android Botnet Evolves, Could Pose Threat To Corporate Networks 54

Posted by samzenpus
from the protect-ya-neck dept.
angry tapir writes An Android Trojan program that's behind one of the longest running multipurpose mobile botnets has been updated to become stealthier and more resilient. The botnet is mainly used for instant message spam and rogue ticket purchases, but it could be used to launch targeted attacks against corporate networks because the malware allows attackers to use the infected devices as proxies, according to security researchers.
The Almighty Buck

Blowing On Money To Tell If It Is Counterfeit 112

Posted by samzenpus
from the huff-and-puff dept.
HughPickens.com writes Scientific American reports that simply breathing on money could soon reveal if it's the real deal or counterfeit thanks to a photonic crystal ink developed by Ling Bai and Zhongze Gu and colleagues at Southeast University in Nanjing, China that can produce unique color changing patterns on surfaces with an inkjet printer system which would be extremely hard for fraudsters to reproduce. The ink mimics the way Tmesisternus isabellae – a species of longhorn beetle – reversibly switches its color from gold to red according to the humidity in its environment. The color shift is caused by the adsorption of water vapor in their hardened front wings, which alters the thickness and average refractive index of their multilayered scales. To emulate this, the team made their photonic crystal ink using mesoporous silica nanoparticles, which have a large surface area and strong vapor adsorption capabilities that can be precisely controlled. The complicated and reversible multicolor shifts of mesoporous CPC patterns are favorable for immediate recognition by naked eyes but hard to copy. "We think the ink's multiple security features may be useful for antifraud applications," says Bai, "however we think the technology could be more useful for fabricating multiple functional sensor arrays, which we are now working towards."
The Courts

Court Shuts Down Alleged $120M Tech Support Scam 129

Posted by samzenpus
from the shutting-it-down dept.
wiredmikey writes A federal court has temporarily shut down and frozen the assets of two telemarketing operations accused by the FTC of scamming customers out of more than $120 million by deceptively marketing computer software and tech support services. According to complaints filed by the FTC, since at least 2012, the defendants used software designed to trick consumers into believing there were problems with their computers and then hit them with sales pitches for tech support products and services to fix their machines.

According to the FTC, the scams began with computer software that claimed to improve the security or performance of the customer's computer. Typically, consumers downloaded a free, trial version of the software that would run a computer system scan. The scan always identified numerous errors, whether they existed or not. Consumers were then told that in order to fix the problems they had to purchase the paid version of the software for between $29 and $49. In order to activate the software after the purchase, consumers were then directed to call a toll-free number and connected to telemarketers who tried to sell them unneeded computer repair services and software, according to the FTC complaint. The services could cost as much as $500, the FTC stated.

The difficult we do today; the impossible takes a little longer.

Working...