Clinton Home Servers Had Ports Open ( 177

Jim Efaw writes: Hillary Clinton's home servers had more than just the e-mail ports open directly to the Internet. The Associated Press discovered, by using scanning results from 2012 "widely available online", that the server also had the RDP port open; another machine on her network had the VNC port open, and another one had a web server open even though it didn't appear to be configured for a real site. Clinton previously said that her server featured "numerous safeguards," but hasn't explained what that means. Apparently, requiring a VPN wasn't one of them.

Video DevOps: Threat or Menace? (Video) 50

The title above is a joke. Mostly. We've heard so much about DevOps -- good, bad, and indifferent -- from so many people who contradict each other, that we turned to Alan Zeichick, one of the world's most experienced IT analysts, to tell us what DevOps is and isn't, how it can help get work done (and done right), how it can hinder progress, and how to make sure DevOps is a help, not a hindrance, if you or your employers decide to implement DevOps yourselves at some point.

Japan Leads Push For AI-Based Anti-Cyberattack Solutions ( 33

An anonymous reader writes: Japanese firms NTT Communications and SoftBank are working to develop new artificial intelligence (AI) platforms, offering cyber-attack protection services to their customers. Up until recently, AI-based security systems were only used for certain scenarios, in online fraud detection for example. The new offerings will be the first commercially-available platforms of their type for use in a wide range of applications.

British Police Stop 24/7 Monitoring of Julian Assange At Ecuadorian Embassy ( 299

Ewan Palmer writes with news that police are no longer guarding the Ecuadorian Embassy where Wikileaks founder Julian Assange has been taking refuge for the past three years. According to IBTImes: "London police has announced it will remove the dedicated officers who have guarded the Ecuadorian Embassy 24 hours a day, seven days a week while WikiLeaks founder Julian Assange seeks asylum inside. The 44-year-old has been holed up inside the building since 2012 in a bid to avoid being extradited to Sweden to face sexual assault charges. He believes that once he is in Sweden, he will be extradited again to the US where he could face espionage charges following the leaking of thousands of classified documents on his WikiLeaks website. Police has now decided to withdraw the physical presence of officers from outside the embassy as it is 'no longer proportionate to commit officers to a permanent presence'. It is estimated the cost of deploying the officers outside the Embassy in London all day for the past three years has cost the British taxpayer more than $18m."

Can a New Type of School Churn Out Developers Faster? ( 236

Nerval's Lobster writes: Demand for software engineering talent has become so acute, some denizens of Silicon Valley have contributed to a venture fund that promises to turn out qualified software engineers in two years rather than the typical four-year university program. Based in San Francisco, Holberton School was founded by tech-industry veterans from Apple, Docker and LinkedIn, making use of $2 million in seed funding provided by Trinity Ventures to create a hands-on alternative to training software engineers that relies on a project-oriented and peer-learning model originally developed in Europe. But for every person who argues that developers don't need a formal degree from an established institution in order to embark on a successful career, just as many people seem to insist that a lack of a degree is an impediment not only to learning the fundamentals, but locking down enough decent jobs over time to form a career. (People in the latter category like to point out that many companies insist on a four-year degree.) Still others argue that lack of a degree is less of an issue when the economy is good, but that those without one find themselves at a disadvantage when the aforementioned economy is in a downturn. Is any one group right, or, like so many things in life, is the answer somewhere in-between?

Bernie Sanders Comes Out Against CISA 198

erier2003 writes: Sen. Bernie Sanders' opposition to the Cybersecurity Information Sharing Act in its current form aligns him with privacy advocates and makes him the only presidential candidate to stake out that position, just as cybersecurity issues loom large over the 2016 election, from email server security to the foreign-policy implications of data breaches. The Senate is preparing to vote on CISA, a bill to address gaps in America's cyberdefenses by letting corporations share threat data with the government. But privacy advocates and security experts oppose the bill because customers' personal information could make it into the shared data.

Dell To Buy EMC For $67 Billion ( 113

im_thatoneguy writes: After days of rumors, the NY Times is reporting that Dell will in fact be acquiring storage company (and VMWare parent) EMC in a record $67B deal being financed by a consortium of banks. Dell has confirmed the deal on their website.

Under the deal, Dell will pay $33.15 a share, which represents a premium even on top of EMC's current value, which had already jumped on initials rumors of a $50B acquisition last week. However, insiders say the deal won't be a straight forward cash buy-out of stock holders. Instead, EMC investors will receive about 70% in cash and the remainder in what's called a Tracking Stock, which will track the performance of just the VMWare Division within the new organization.


Hundreds of Southwest Flights Delayed By Online Booking Problems 35

An anonymous reader writes: A technology problem delayed hundreds of Southwest Airlines flights Sunday while the airline checked-in passengers manually at airports. Around 300 flights had been delayed as of Sunday afternoon. In a statement on its website, Southwest said intermittent technical issues "are impacting website performance in creating new bookings and requiring us to process some customers manually as they arrive for travel."

Kaspersky Fixes Bug That Allowed Attackers To Block Windows Update & Others ( 33

An anonymous reader writes with this story at Softpedia about Google Project Zero security researcher Tavis Ormandy's latest find. A vulnerability that allowed abuse by attackers was discovered and quickly fixed in the Kaspersky Internet Security antivirus package, one which allowed hackers to spoof traffic and use the antivirus product against the user and itself. Basically, by spoofing a few TCP packets, attackers could have tricked the antivirus into blocking services like Windows Update, Kaspersky's own update servers, or any other IPs which might cripple a computer's defenses, allowing them to carry out further attacks later on.

Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC ( 80

An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."

Another Drone Crashes Near White House ( 57

An anonymous reader writes: A man has been given a citation for flying a Drone near the Washington Monument and crashing on the Ellipse, a grassy area outside of the security perimeter near the White House South Lawn. Howard Solomon III said he had been trying to take pictures of the monument and that the wind blew the drone across a street that divides the Ellipse from the grounds of the Washington Monument. A spokeswoman for the U.S. Park Police says Solomon didn't appear to be doing anything 'nefarious' but added, hat this was the ninth time a drone has been flown in a national park in the greater Washington area in 2015 and the 26th since 2013.

Cyberattacks: Do Motives and Attribution Matter? 44

An anonymous reader writes: Whenever people think of APTs and targeted attacks, they ask: who did it? What did they want? While those questions may well be of some interest, a potentially more useful question to ask is: what information about the attacker can help organizations protect themselves better? Let's look at things from the perspective of a network administrator trying to defend an organization. If someone wants to determine who was behind an attack, maybe the first thing they'll do is use IP address locations to try and determine the location of an attacker. However, say an attack was traced to a web server in Korea. What's not to say that whoever was responsible for the attack also compromised that server? What makes you think that site's owner will cooperate with your investigation?

China Arrests Hackers At Behest of US Government ( 74

An anonymous reader writes: For the first time, the Chinese government has arrested a group of hackers at the request of the United States. The hackers are suspected of having "stolen commercial secrets" from companies in the U.S., which were then passed on to Chinese competitors. "The arrests come amid signs of a potential change in the power balance between the U.S. and Chinese governments on commercial cyberespionage, one of the most fraught issues between the two countries. For years, U.S. firms and officials have said Beijing hasn't done enough to crack down on digital larceny." It's a big first step in establishing a functional cybersecurity relationship between the two nations. Now, everyone will be watching to see if China follows up the arrests with prosecution. "A public trial is important not only because that would be consistent with established principles of criminal justice, but because it could discourage other would-be hackers and show that the arrests were not an empty gesture."

Ask Slashdot: Knowledge Management Systems? 132

Tom writes: Is there an enterprise level equivalent of Semantic MediaWiki, a Knowledge Management System that can store meaningful facts and allows queries on it? I'm involved in a pretty large IT project and would like to have the documentation in something better than Word. I'd like it to be in a structured format that can be queried, without knowing all the questions that will be asked in the future. I looked extensively, and while there are some graphing or network layout tools that understand predicates, they don't come with a query language. SMW has both semantic links and queries, but as a wiki is very free-form and it's not exactly an Enterprise product (I don't see many chances to convince a government to use it). Is there such a thing?
Open Source

Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source ( 74

Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."

Disclosed Netgear Flaws Under Attack ( 17

msm1267 writes: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the research teams that it addressed the problem adequately. The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300- The flaw allows an attacker, without knowing the router password, to access the administration interface.
Operating Systems

NetBSD 7.0 Released ( 56

An anonymous reader writes: After three years of development and over a year in release engineering, NetBSD 7.0 has been released. Its improvements include added support for many new ARM boards including the Raspberry Pi 2, major improvements to its multiprocessor-compatible firewall NPF, kernel scripting in Lua, kernel mode-setting for Intel and Radeon graphics chips, and a daemon called blacklistd(8) which integrates with numerous network daemons and shields them from flood attempts.

US Government Will Not Force Companies To Decode Encrypted Data... For Now ( 108

Mark Wilson writes: The Obama administration has announced it will not require companies to decrypt encrypted messages for law enforcement agencies. This is being hailed as a "partial victory" by the Electronic Frontier Foundation; partial because, as reported by the Washington Post, the government "will not — for now — call for [such] legislation." This means companies will not be forced to build backdoors into their products, but there is no guarantee it won't happen further down the line. The government wants to continue talks with the technology industry to find a solution, but leaving things in limbo for the time being will create a sense of unease on both sides of the debate. The EFF has also compiled a report showing where the major tech companies stand on encryption.

LogMeIn To Acquire LastPass For $125 Million ( 100

An anonymous reader writes: LogMeIn has agreed to acquire LastPass, the popular single-sign-on (SSO) and password management service. Under the terms of the transaction, LogMeIn will pay $110 million in cash upon close for all outstanding equity interests in LastPass, with up to an additional $15 million in cash payable in contingent payments which are expected to be paid to equity holders and key employees of LastPass upon the achievement of certain milestone and retention targets over the two-year period following the closing of the transaction.

First Successful Collision Attack On the SHA-1 Hashing Algorithm ( 87

Artem Tashkinov writes: Researchers from Dutch and Singapore universities have successfully carried out an initial attack on the SHA-1 hashing algorithm by finding a collision at the SHA1 compression function. They describe their work in the paper "Freestart collision for full SHA-1". The work paves the way for full SHA-1 collision attacks, and the researchers estimate that such attacks will become reality at the end of 2015. They also created a dedicated web site humorously called The SHAppening.

Perhaps the call to deprecate the SHA-1 standard in 2017 in major web browsers seems belated and this event has to be accelerated.